CEIO Bug Program and Policy

We are now publicly launching our Bug Bounty Program through the CEX.IO platform to continue to improve the security of our products and services.


  • Computer Fraud and Abuse Act:

CEX.IO undertakes not to initiate legal proceedings for security research conducted in accordance with all Bug Bounty Program policies, accidental violations if the investigator fully complies with this Policy.

We will not make a claim against researchers for avoiding the technological measures we have used to protect the applications in the scope of the Bug Bounty Program

Please submit an appropriately constituted report before engaging in conduct that may be inconsistent with or unheard of.

This report should include a brief description of your intended behavior so that we can determine if it is consistent with Bug Bounty Program policy

Any information you receive or collect about us, our affiliates, or any of our users, employees in connection with the Bug Bounty Program (“Confidential Information”) must be kept confidential and used in connection with the Bug Bounty Program only.

You may not use, disclose, or distribute any such Confidential Information, including without limitation any information about your Submission, without our prior written consent. In order to protect the Confidential Information you must use all reasonable precautions required to protect such information, and you must keep the Confidential Information, including documents and copies thereof, which include Confidential Information, in a way that prevents unauthorized access to third parties.

You have to email the email address [email protected] with the relevant topic to report vulnerability information for us.

CEX.IO does not grant (implicit or explicit) permission / authorization to an individual or group of individuals to (1) remove personal information or CEX.IO user content or publicize this information on the open internet that n facing the public without CEX Consent .IO or (2) modifies or corrupts data belonging to CEX.IO for the purpose of publicly extracting and disclosing CEX.IO related data.

CEX.IO (or its licensors) owns all Confidential Information only and unauthorized disclosure or use of such Confidential Information may cause irreparable harm and significant injury, the extent of which may be difficult to ascertain. Accordingly, we shall have the right to pursue an immediate injunction relating to any breach of these provisions, as well as the right to pursue any other rights and remedies that are available in return the law or equity for such infringement including indemnity.

If you do not protect the Confidential Information specified herein, and in the event that the Confidential Information is discovered to have been disclosed and / or misused, including, but not limited to, posting materials publicly (including on social media) with Confidential Information, content that includes false and / or disrespectful goodwill. , you will have to pay a fine in the amount of USD 100 000 (one hundred thousand) to be accrued in addition to any damages incurred.

Notwithstanding the end of the term of your Submission or closure of the matter in respect of repair and remuneration, the provisions relating to Confidential Information shall survive for ten (10) years after receipt of the Confidential Information and, in relation to Confidential Information, a trade secret , as long as such Confidential Information remains a trade secret.

  1. Do not access the personal information of a customer or employee. If you accidentally access any of these, stop testing and reporting the vulnerability.
  2. Stop testing and reporting the issue immediately if you have access to any non-public application or qualifications.
  3. Do not interfere with production systems, data during security testing.
  4. Send an email to the address [email protected] with the relevant topic to alert us to vulnerability information.
  5. Only gather the information necessary to show the vulnerability.
  6. Submit any necessary screenshots, screen captures, network applications, reproduction steps, or similar to the email address [email protected] (do not use third party file sharing websites).
  7. When researching vulnerability, only target your own account and do not attempt to do so
  8. You may not exploit security vulnerabilities in any other way than is prescribed in this Policy.
  9. Only the first validated vulnerability report can receive the award.

To help streamline our admissions process, we ask that submissions include:

  1. Vulnerability Types and Vulnerability Description
  2. Steps to reproduce the vulnerability
  3. Proof of use (eg any necessary screenshots, screen captures, network applications,)
  4. Probability of Vulnerability Exploitation
  5. List of URLs and payload parameters affected
  6. Other additional payloads, Evidence of Vulnerability, Solutions
  7. Browser version, OS version and / or app used for testing

Note: Failure to comply with these requirements or provide intentionally false information may result in inability to obtain a bounty and / or remove it from the program.

The following issues are outside the scope of our vulnerability rewards program:

Denial of Service (DoS / DDoS) vulnerabilities.
Low severity issues.
Cross-site Application Forgery (CSRF) with minimal security implications.
Missing cookie flags on non-security-sensitive cookies.
UI and UX bugs.
Open ports without proof-of-concept showing vulnerability.
Uncover robots.txt file
Email Spoofing (SPF Configurations)
Attacks that require physical access to a user’s device
Social engineering of CEX.IO staff or contractors

If you have found a security issue that directly affects cryptocurrency and / or its components (eg blockchain, node, wallet), make sure you report it directly to the appropriate project team.

By making a Submission, you grant us the right to use your Submission for any purpose.

We may modify the Program Terms or cancel the Bug Bounty Program at any time.

CEX.IO may, in its absolute discretion, provide rewards for qualified vulnerability reporters.

Remote code execution Command injection $ 20,160 $ 10,080
Injection SQLi $ 12,460 $ 6,230
Broken Authentication and Session Management Activities on behalf of a user $ 7,700 $ 3,850
Administrative functionality Access to internal Twitter applications $ 12,460 $ 6,230
Possession of accounts Weaknesses of OAuth $ 7,700 $ 3,850
Other valid weaknesses Information leaks, XSS $ 280 – $ 2,940 $ 140 – $ 1,470