Bug Bounty Program

Version 1.0.0 from 2021-02-12

Bug Bounty Program

This program is ONLY related to the security issues of cryptocurrencies listed at STEX and their components:
In case you find a security issue that affects directly any of STEX listed cryptocurrencies and/or their components (e.g. blockchain, wallet, node), please ensure to report respective issue to STEX directly according to this program.

In Scope
DomainType
www.stex.com
WEB
app.stex.com
WEB
api3.stex.com
API
Out of Scope
DomainType
help.stex.com
WEB
*.stex.com
WEB
Vulnerability risk level and rewards:
LevelReward
High
$1,000+
Medium
$300-500
Low
$50-200
Vulnerabilities classification:
High Level Vulnerabilities:
  • - SQL injection
  • - Authentication bypass (Except user is logged in with email confirmation link)
  • - Remote Code Execution
  • - Gain system access (getshell, command execution, etc.)
  • - Leakage of sensitive information (orders, trading info, etc.)
Medium Level Vulnerabilities:
  • - Server-side request forgery
Low Level Vulnerabilities:
  • - General CSRF
  • - Reflective type XSS
  • - Clickjacking
Out of Scope Vulnerabilities:
  • - Certificates/TLS/SSL related issues
  • - DNS issues (i.e. MX records, SPF records, etc.)
  • - Vulnerabilities in third-party applications
  • - Best practices concerns
  • - Social engineering, phishing, physical, or other fraud activities
  • - SPAM
  • - Brute-forcing attacks
  • - DoS/DDoS attacks
  • - Missing HTTP security headers
  • - Mixed HTTP Content
  • - MitM and local attacks
  • - Self-XSS that cannot be used to exploit other users
  • - UI and UX bugs
  • - Outdated web browsers
Rules:
  • - Don’t access or modify other user data, localize all tests to your accounts.
  • - Avoid compromising any personal data, interruption or degradation of any service.
  • - Don’t disclose publicly any vulnerability.
  • - Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
Vulnerability reporting:

All requests should be sent to bugbounty@stex.com. While reporting, please use the PGP key provided by STEX Security Team. The answer will be given within three business days.

STEX Bug Bounty Security PGP public key:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF/frUkBEADZctRzIek7N8DsEJ0NSmlfwDPhLdGRgWWeDhStycUo27E0xkKV la15IGh3T8dficQrS7kD2IWX1T6wnR6q1VSxM/EhtyRDmJaTJlAa60NMspWmAXEW srnO/TKMXWr1RXKQpBAeriLH5ULHTJDR2JCT+2ViHBj3Vtdcg5HiyN47VIjHFsdG demXwIDWAxr6kZxk+hneVnRvMsvF9c5LkDCI9f+wObhNeivES6sCE/70SWdjvLlZ QJKaHttKgexyK+O0Tf5cAEEwYBRbm39NGOwg6l2hQTj39XILY9bWrIVPA0mj92Y3 7P3LXXpIDTJYAheKXpv8Kce8buA6W33p0hARrGm0uPkX1YPJUSlVogj00pmWpy1L OwAH5auh1VeVICEVeCYqICavhMm8+2Ue4llhFtVnalei2sLoHgPJfrjRYF9gVjC6 R23seFyH2FzbVSRKy+XbHArAxKAqayxoROvGHSAGMEnrPaVyWBayT3F/vfFVucYE zsq2yOTZYqkrxjRodRAP9lzHO01YXadw+Ev0gjRVQp+aQRj6/NGi17pFXMDmPifZ 8g0/h1yvmJ/OmO37Jzrhwt+rv9m68VmAdjSqYaN5uT507k8y82NzLOQAj+k39JhY j8LQdzDo4JrcGfAOxE0aKSFVRLhoG4mU72vkeMpKQ0F7md4gvNEHnXTdiQARAQAB tCdidWdib3VudHlAc3RleC5jb20gPGJ1Z2JvdW50eUBzdGV4LmNvbT6JAlQEEwEI AD4WIQQoKDyzu81e7OiHwctbBQGrwXeHxgUCX9+tSQIbAwUJB4YfgAULCQgHAgYV CgkICwIEFgIDAQIeAQIXgAAKCRBbBQGrwXeHxljAD/9eH0L3hH5bOLCNQ9zg6IA0 b0Rn992MWVdbvaFkz82rTBxOkyT0FQOTcjFhss+kiyntZeJaD8lZRCRBphFfY9+u UZ51TjHOjiHJkbNcPptZQsJD5E7RoHGut5HciEbXuSmcyrr1YkKq+ZHzYBDFmwLo fpIGN6PoBABpuAZbhW0xmdonLzFJLzJAVX1o/QqHEHgMhXQtXycTVQ5Vc2lt0zaN ijuiU7ee2UQKcz088DMPAnO4gyXckfDwMw45uxmDAIPWfqb5ldDrwMrZKNrBTqMY DsNqLm30ekTq5saGQDzZ+/R2H3SSeibCkDuzAPwBqq0JWYzgx0mYZYYbTTGkVTDO 5cHRwZqiHmss/pgbscWUGnh4WePgjWKRt7samCy024XXFMW9rCSdxqRI2jzeRXet KIqlV3flvcdu3sMDlQi+50EJGtUJP24BLeiuAaXDxEVm+Xs8kTa/2DWsjpHYpHFj ZEXQRG+fjTK981kQzY3553ECoKQuNsZHgapQinqlYPzuChrnZudAzL41pTP0RE4e 9NavEDizl4BS8UTIApm1xUDwgxa29CeQalK9/z1j/4tls7oOr6NfIC6+4GGk0EIv ovbEId75VsbXeG+ito8lfMZXZx6srJq/B8ajcReAYqtG6I4s923G8snZXtDDCO5U 1ItMHqa+s1tm2sf0vssCybkCDQRf361JARAA1ajSaWCEtlTE0qPlICWLH+mA+SAI NUAr0s6d5Ry+plc+5NtiJRt4M86ttuHgecw9zMXZ2h+wEwe2qGLktWvXTabOeWHV mWsBE0KWrq/zQetHuXrI7hDtzoeQSppKM9PUZzZDUuViEmupj+60wPPHi4Ufm8YE CvIIQtZrtKntqwVAhGGRLkG3aSJ2vmeUEUQGhwJZGJUgPGfK+jMZMT+f5g0qyluJ EK4l2owNibCWWUEuRCOeaVUXocKQeUnPEVLbEPsGS6GucZjuyUSxR/eH9z8EvXXi lbdnZp9vIn4qSOPkvT+Ahb/IGRcpWS6P0oBauspnM1YXsbHLFsFgFc16i8E0eNxQ n1Y0jvBIqvM1BXDIDBu2cGzyt5miJA/nh+G3rLm86rOgQHExNTbRwSEgUFM2GgfG 2Rsj+1teOeezkEA7liucvRjxPLGDTWASlcjm9uLuCw+0iQkb2HyZI90NwavGoR71 RN6U4syfZ8ewYdO+EYzx+cjYZtibHKV/cGyr0qJMdtzYgM7cqMUwJrhErF7cndtq 19H6PmINlnynRptXkCidWKysrVBbqDUPPMNSAC+iBEF9qNygwIjoox5SfBQuvPtR r161aAJRdryxcvtHk5sevTpz6Xqeuxrdx7XN66AkYRVJEQwPyitb+wuBzT0kfAzD rZAPxspVeWosl5UAEQEAAYkCPAQYAQgAJhYhBCgoPLO7zV7s6IfBy1sFAavBd4fG BQJf361JAhsMBQkHhh+AAAoJEFsFAavBd4fGIZoQALbVsmGyJp+9OcqTtUIstzxH D6I/Om5HGXIDSpf76cwAc7H/70QqKyxi9UhTHDUGlOVa9zDnXs7lKbhBpT6muRN3 82T/gKgacIP1eACnnr4BpsmgP2rmPbXwT975UeNlTIFfpZus14HyNzOC8jhbYx27 5ezelN8E9PtUZUc+9aDzgsRmp8gIEAZuQGQaatazz7nlWN8oyYd8UVkbRK6aD/rx p4CDW52J6DFfU+e+OSREmgipc+QS/J0EeFEZmZ5bmnqFlhoI2oPzCwEmHo+V3Z+d 3H0rMcnPGYaR9m9x6242vXiBYWLZsTsIXhgJNBD8iiTpD29GoxYYFwWMLf4m4rao ZPKomkDbz6zGWvyltCii8JXL4PTeGj4HSQLDrbq6fifnxB7+hBFHuocg5gzvq+e5 PwkYtNb2Y1/IOhdgjZufAOR5KhIEoHXpy/3AYJ7eSHJJyl/NEkA+9XrlBe25S8Ua GHFMNQ3N/Ex6mG719EfOFqR+1/KoCx37nVxCuXN8MZ4j8HNoqJVQXUlXDL+KXFMC aE0kLTCeUqz8wUO//KuUT/FbIR5eF/4+Rl1ZPEkNMPO15fK0ziZ9Dp7Gd6Td1QYw OMK8nOsDO4r9LCX5+Ip4HxV/Ed/v2+I/2lKhoK2OtxpX6pyxEeerZoreAGMgYRR5 Xsy5A8pMq1Nb5LGbTy3I =ajdg -----END PGP PUBLIC KEY BLOCK-----