[Announcement] Bithumb Global’s Bug Bounty Programme is LIVE!

According to a study at the University of Maryland, there is a hacker attack every 39 seconds on average, affecting one in three Americans every year.

What makes it worse is that more than 77% of organizations do not have a Cyber Security Incident Response plan, when an estimated 54% of these companies have experienced one or more attacks in the last 12 months.

These facts make Cybercrime the greatest threat in the world. Today, hackers are not only targeting corporations, banks or wealthy celebrities but also individual users like you and me.

Therefore, as long as you’re connected to the Internet, you are a potential victim of cyberattacks. 

By identifying these core issues and concerns, Bithumb Global has collaborated with SlowMist Zone, a company focused on blockchain ecosystem security, to launch a Bug Bounty program to increase awareness about security vulnerabilities and cyber attacks.

Being the top three most secure crypto exchange by Cybersecurity rating, Bithumb Global truly understands the havocs that cybercrimes can cause and thus wants to encourage participants from across the globe to participate in the "Bug Bounty Program" and win a maximum reward of up to 10,000 USDT!

How Can You Participate in the Bithumb.pro Bug Bounty Program?

Being the second most secure Crypto Exchange with cybersecurity score of 9.81 along with verified penetration test and proof of funds, Bithumb Global wants to recognize every security vulnerability and threat to be the most reliable and secure Crypto Exchange.

To achieve this goal we have entered the SlowMist Zone with our Bug Bounty program. To participate in this program and report a vulnerability, the reporter needs to visit the "SlowMist Zone" website and submit a threat intelligence which will be reviewed by the SlowMist Security Team. 

What happens after you Report a Vulnerability?

The whole program follows three steps. The first step is the “Reporting Stage” where a reporter will submit a threat intelligence on the SlowMist. This stage is followed by the “Processing Stage” where the SlowMist Security Team will confirm the threat intelligence report from the "SlowMist Zone" within one working day and mark the status of the threat as ‘to be reviewed’.

SlowMist team will also follow up, evaluate the problem, and feed the intelligence back to the Bithumb Global contact person during this time.

Once this is done,  the Bithumb Global technical team will deal with the problem, draw conclusions and record points, such as whether the vulnerability is confirmed or ignored and mark the report status accordingly.

In case it is needed, the Bithumb Global technical team will also communicate with the reporter, and ask the reporter for assistance. This will mark the end of the second stage for the reported vulnerability. 

The last stage is the “Reporting Stage” where the Bithumb Global business department shall repair the security problems in the threat intelligence and update the status online as repaired.

The timeframe for repairing depends on the severity of the problem and the complexity of the repair.

In general, the team repairs the critical and high-risk problems within 24 hours, medium-risk problems are catered to within 3 working days, and the low-risk problems are taken care of within 7 working days. 

The reporter then confirms whether the security problem has been repaired or not. Once verified of the repair, the Bithumb Global technical team will inform the SlowMist Security Team of the conclusion and the vulnerability score.

They will also issue rewards with the SlowMist Security Team and mark the status of threat report as completed.

Classification of Vulnerability Level and Reward Standards

The vulnerabilities are divided into 4 different levels with a maximum reward up to 10000 USDT. The final award for every submission depends on the severity of the vulnerability and the true impact of the vulnerability. 

Critical Vulnerabilities: These are the vulnerabilities that occur in the core business system (the core control system, field control, business distribution system, fortress machine and other control systems that can manage a large number of systems). 

These vulnerabilities can cause a severe impact, gain business system control access (depending on the actual situation), gain core system management staff access, and even control the core system.

Reporting Critical vulnerabilities is most important for Bithumb Global and most rewarding for reporters.

By reporting a critical vulnerability, you can earn Bithumb Global Rewards worth 2500 ~ 10000 USDT and SlowMist Zone Reward worth 512 SLOWMISTs.

These include but are not limited to: 

• Multiple devices access in the internal network.
• Gain core backend super administrator access, leak enterprise core data and cause a severe impact.
• Smart contract overflow and conditional competition vulnerability.

High-risk Vulnerabilities: When reporting a high-risk vulnerability, you have a chance to grab Bithumb Global Rewards worth 300 ~ 2500 USDT and SlowMist Zone Reward of 256 SLOWMISTs.

The vulnerabilities classified as high-risk are the following:

• Gain system access (get shell, command execution, etc.)
• System SQL injection (backend vulnerability degradation, prioritization of package submission as appropriate).
• Gain unauthorized access to the sensitive information, including but not limited to, the direct access to the management background by bypassing authentication, brute force attackable backend passwords, and to obtain SSRF of sensitive information in the internal network, etc.).
• Arbitrarily document reading.
• XXE vulnerability that can access any information.
• The unauthorized operation that involves money, payment logic bypassing (need to be successfully utilized).
• Serious logical design defects and process defects. This includes but is not limited to any user log-in vulnerability, the vulnerability of batch account password modification, logic vulnerability involving enterprise core business, etc., except for verification code explosion.
• Other vulnerabilities that affect users on a large scale. This includes but is not limited to the storage XSS that can be automatically propagated on the important pages, and the storage XSS that can access administrator authentication information and can be successfully utilized.
• Leakage of a lot of source code and permission control defects in the smart contract.

Medium-risk Vulnerabilities: When you report a medium-risk vulnerability, you are rewarded with 100 ~ 300 USDT of Bithumb Global Reward and 100 SLOWMIST of SlowMist Zone Reward.

These include the following vulnerabilities:

• The vulnerability that can affect users by the interaction part. It includes but is not limited to the storage XSS on general pages, CSRF involving core business, etc
• General unauthorized operation. It includes but is not limited to modify user data and perform user operation by bypassing restrictions
• Denial-of-service vulnerabilities. It includes but is not limited to the remote denial-of-service vulnerabilities caused by denial-of-service of web applications
• The vulnerabilities caused by a successful explosion with the system sensitive operation, such as any account login and password access, etc. due to verification code logic defects
• The leakage of locally-stored sensitive authentication key information, which needs to be able to use effectively.

Low-risk Vulnerabilities: For reporting a low-risk vulnerability, the reporter is rewarded with Bithumb Global reward worth 10 ~ 100 USDT and SlowMist Zone Reward of 32 SLOWMIST.

These vulnerabilities include: 

• Local denial-of-service vulnerabilities. It includes but is not limited to the client local denial-of-service (parsing file formats, crashes generated by network protocols), problems that are caused by Android component permission exposure, general application access, etc.
• General information leakage. This includes but is not limited to Web path traversal, system path traversal, directory browsing, etc
• Reflective type XSS (including DOM XSS/Flash XSS)
• General CSRF
• URL skip vulnerability
• SMS bombs, mail bombs (each system only accepts one type of vulnerability).
• Other vulnerabilities that are less harmful and cannot be proven to be harmful (such as CORS vulnerability that cannot access sensitive information)
• No return value and no in-depth utilization of successful SSRF.

Vulnerabilities not Accepted at the Moment: Some of the discovered vulnerabilities belonging to the below-stated categories are temporarily not included in the bounty scope, except for those that can cause serious business impact (it needs to be verified by the Bithumb Global team).

• Third-party application vulnerabilities.
• Zero-day vulnerabilities in recent (30 days).
• Low version browsers/platforms/plugins, etc. cause users to be affected.
• Theoretical risk vulnerabilities.
• Certificate/TLS/SSL related vulnerabilities.
• DNS related issues, such as MX records, SPF records, etc..
• Server configuration problems, such as open ports, TLS configuration, etc. cannot be actually used.
• Account blasting.
• Missing HTTP security headers.
• OPTIONS/TRACE HTTP method enabled.

Bithumb Global Bounty Program Rules

To make the Bug Bounty Programme fair, Bithumb Global team has laid down some ground rules to which every reporter must adhere to. These rules are listed below:

It is forbidden to use web/port automatic scanners and other behaviours that may cause a large number of traffic requests. Network terminals and abnormal service access caused by these behaviours will be handled in accordance with relevant laws and regulations;

Avoid possible impacts or restrictions including but not limited to the availability of business, products, architecture, etc.;

All vulnerability tests should clearly use their own accounts, and avoid obtaining other user accounts in any form for testing/intrusion operations;

It is forbidden to abuse of Dos/DDoS vulnerabilities, social engineering attacks, spam, phishing attacks, etc.;

For combined exploitable vulnerabilities, we will only pay for the highest level of vulnerabilities.

Without permission from Bithumb Global, it is forbidden to disclose the details of any discovered vulnerabilities.

It is your time to contribute towards a safer Crypto economy. Join Bithumb Global’s Security-vulnerabilities and Threat-intelligence Bounty Programme to Help us build the most reliable and secure crypto exchange and earn rewards for your efforts.

For more information visit:https://slowmist.io/en/bithumb-global/