[{"id":3773335,"new_policy":"About OKG:\n==============\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets\n=================\nOKG will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nLeaked \u0026 Exposed Credentials\n=================\nIf you discover credentials that appear to belong to OKG or OKX systems, please report them through HackerOne immediately. Include the source where the credentials were found, what system they relate to, and a screenshot as evidence.\n\nYou may authenticate once to confirm validity, then must immediately log out — without browsing, accessing data, or exercising any functionality. Anything beyond this is not covered by Safe Harbor.\n\nSeverity is based on the level of access the credential grants. Reports are rewarded per unique source provided the credentials were not illegally purchased. OKG reserves the right to determine reward eligibility based on the value and novelty of the report. For full platform guidelines, refer to [Bounty Awards for Discovered Leaked Credentials](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_83c05e1cc8).\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nNote: The classifications below are not exhaustive. If a valid vulnerability does not appear in this list, OKG will assess its severity and bounty eligibility using CVSS v3.1 and internal business impact analysis. This ensures fair and transparent evaluation of novel, creative, or edge-case vulnerabilities that may not be explicitly documented here.\n\n## Web2 Vulnerabilities\nFocus: Issues found on OKG web platforms (e.g., okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKG servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKG’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users\n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- Account Access at Scale: Unauthorised access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorised access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Vulnerabilities\nFocus: Issues found in OKX official mobile apps.\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKG infrastructure.\n- Mass Data Breach: Unauthorised access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking sensitive information stored or processed by the app.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorised transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorised Operations: Performing unauthorised transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorised access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\nFocus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High\n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorised access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\nFocus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.\n\n### Critical\n- Remote exploits on validators/contracts or admin takeovers.\n- Execute code on production infrastructure\n- Steal funds or exfiltrate sensitive data at scale\n- Fully bypass authentication or authorisation protections\n- Affect a majority of users, systems, or business-critical functions\n\n### High\n- Unauthorised access to sensitive user data or funds in limited scope\n- Takeover of accounts with specific user interaction\n- Smart contract exploits with financial impact requiring specific states\n\n### Medium\n- Smart contract bugs that require manual triggering and do not result in loss of funds directly\n- Wallet address manipulation that alters front-end display but not the transaction outcome\n- Replay of previously signed messages that need complex setup\n- Incorrect use of chainID, nonce, or gas calculations that lead to inefficiencies\n- DApp permission misuse that prompts for overbroad approvals, but user must accept\n\n### Low\n- RPC metadata disclosure without sensitive data or elevated access\n- Node instability causing UI refresh or sync delays, not affecting tx execution\n- Minor signature validation errors that cannot bypass permission\n- Smart contract function visibility issues (e.g., public vs external) that don’t affect logic\n- Typos or inaccurate dApp UI rendering not tied to transaction outcome\n\n---\n\n## Additional Guidelines\n- IDOR: Must demonstrate ID discovery path, not brute force only\n- Mobile: Report once per vulnerability across platforms (iOS/Android)\n- Wallet Extensions: Report once per vulnerability across platforms (Chrome/Edge/Safari)\n- Duplicates: Same issue in multiple assets = one report\n- False positives, low business impact, or non-exploitable bugs will not be rewarded but may be acknowledged\n- Compliance related reports will be assessed on a case by case basis\n- All reported vulnerabilities must be manually validated by the researcher in the specific context of our applications\n\n---\n\n## AI Usage \u0026 Disclosure  \n- Researchers must disclose any use of AI tools in vulnerability discovery, testing, or report writing.\n- AI tools may be used for drafting or tooling, but the vulnerability discovery, reproduction, and analysis must be independently validated by the researcher.\n- Reports that are clearly auto-generated, templated, or submitted without meaningful human verification (including unvalidated AI-generated reports) may be closed as Not Applicable or Spam, at OKG's discretion.\n\n---\n\n## Out of Scope\n- Reports from automated tools or scanners\n- False positive SQL Injection without a working PoC demonstrating DB/user name extraction\n- Spam vulnerabilities, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable libraries/components without a working PoC\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated or low-impact forms\n- Attacks requiring MITM, root/jailbreak, or physical access to a user’s device\n- Previously known vulnerable libraries without a working PoC\n- CSV injection without demonstrating exploitation\n- Missing SSL/TLS best practices (e.g. weak ciphers, protocol versions)\n- Denial of Service (DoS) or service disruption attempts\n- Content spoofing or text injection without HTML/CSS modification or attack vector\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing Content Security Policy best practices\n- Missing HttpOnly or Secure cookie flags\n- Missing or invalid SPF/DKIM/DMARC records\n- Vulnerabilities affecting only outdated/unpatched browsers (older than 2 stable versions)\n- Software version disclosure, banner info, stack traces, or verbose errors\n- Public 0-days with patches released less than 1 month ago (case-by-case)\n- Tabnabbing\n- Vulnerabilities requiring unlikely user interaction\n- Vulnerabilities already known to internal teams\n- Best practice recommendations (e.g. hardening suggestions)\n- WordPress-related vulnerabilities\n- DLL hijacking (all variants)\n- Rate-limit bypass by simply changing IP address or device ID\n- Address bar, URL, or domain spoofing within mobile in-app browsers (e.g., dApp or WebView-based browsers)\n- Sensitive data exposure on social media\n- Internal domain takeovers outside okx.com, okg.com, or oklink.com\n- Clients (desktop/mobile) not downloaded from official sources in scope\n- Proof of Reserves being reported as “sensitive document” leak\n- Reports based only on static analysis of binaries without PoC affecting business logic\n- Lack of obfuscation, binary protection, or jailbreak/root detection\n- Certificate pinning bypass on rooted/jailbroken devices\n- Missing exploit mitigations (e.g., PIE, ARC, Stack Canaries)\n- Sensitive data in URLs or request bodies when protected by TLS\n- Path disclosure in binaries\n- Hardcoded/recoverable app secrets in IPA/APK without business impact\n- Sensitive data stored in private app directory\n- App crashes from malformed URL schemes or exported components\n- Runtime exploits only possible in a rooted/jailbroken environment (e.g., via Frida)\n- Leaked shared links via clipboard\n- URI leaks caused by malicious apps with permissions\n- Exposure of API keys without demonstrated security impact (e.g., Google Maps API keys or keys found in our public GitHub repositories)\n- Third-party services (unless explicitly allowed)\n- Social engineering, spam, and physical attacks\n- Attacks requiring MITM or root/jailbreak access\n- Services not owned by OKG (e.g., cloud provider vulnerabilities)\n- Mobile/Desktop apps not downloaded from official channels\n- AI-generated vulnerability reports without human validation  \n- Reports that appear to be generated from automated tools or generic templates\n- Broken link hijacking for social media accounts\n\n# Discretionary “Extreme” Tier Bounties\nWhile our standard reward structure follows CVSS and business impact tiers (Low to Critical), OKG reserves the right to award **Extreme Tier bounties** at our sole discretion.\nExtreme Tier rewards are not tied to a fixed scoring scale. They reflect **extraordinary, edge-case vulnerabilities** with systemic or existential risk to OKG.\n\n**Criteria \u0026 Impact Examples**\n*   Rapid and unauthorised loss of funds \u003e $1 million (Example: exploit drains wallets, bypasses fund protections)\n*   Zero-interaction compromise of multiple wallets, admin systems, or validators\n*   Massive KYC/PII data breach with direct regulatory or reputational impact (Example: exposure of sensitive customer data, financial information)\n*   Systemic risk to platform availability, public trust, or market stability (Example: mass user account takeover, automated abuse of authentication flows)\n\n**Reward Range**\n*   **$30,000 up to $1,000,000+**, depending on severity, exploitability, and impact.\n*   Evaluated case-by-case using OKG’s internal incident response process.\n\n**Additional Considerations**\n*   Researcher reward decisions also take into account **technical complexity**, **speed of reporting**, **integrity**, and **responsible disclosure practices**.\n\n# Business Risk Scoring Guide\nNote: To ensure fairness when evaluating vulnerabilities that do not directly affect funds, OKG uses a weighted business impact model that considers Fund Impact, Reputation Risk, and Compliance Risk. Business-risk multipliers adjust placement within the payout range of the assigned severity band; they do not move a report to another band.\n\n### Web2\n\n| Context / Surface                                              | Multiplier |\n|---------------------------------------------------------------|------------|\n| Static unauthenticated pages (marketing, FAQ, terms)           | 1.0×   |\n| Login/register/reset flows with minor issues (open redirect)   | 1.1×  |\n| Authenticated user dashboard (no sensitive data)               | 1.2×       |\n| Authenticated page with PII, order history, personal data      | 1.3×       |\n| Session compromise (stealing cookies/JWTs)                     | 1.3×       |\n| Authenticated page handling account/fund actions (withdrawal, API, trading) | 1.4× |\n| Admin panel or internal tool with sensitive operations | 1.5× |\n\n### Web3\n\n| Context / Surface                                                                  | Multiplier |\n|-----------------------------------------------------------------------------------|------------|\n| Wallet connect / signature request with no security impact                         | 1.0×       |\n| dApp UI with reflected input but no transaction risk                               | 1.1×       |\n| dApp (wallet-connected) leaking balances or transaction history                    | 1.2×       |\n| dApp allowing spoofed signature prompts / phishing-style UX                        | 1.3×       |\n| Smart contract dashboards (staking, governance, etc.) with sensitive UI actions    | 1.4×       |\n| XSS leading to wallet signature hijack / transaction injection                     | 1.5×       |\n\n### Mobile\n\n| Context / Surface                                                           | Multiplier |\n|-----------------------------------------------------------------------------|------------|\n| UI issues, clipboard access without sensitive data                          | 1.0×       |\n| Exposure of non-sensitive info (OS version, device model)                   | 1.1×       |\n| Authenticated views with general account data                               | 1.2×       |\n| Sensitive data exposed via logging, screenshots, or memory                  | 1.3×       |\n| WebView issues affecting auth/transaction flow or phishing                  | 1.4×       |\n| Authenticated views with fund transfer, session token, or private key exposure | 1.5×    |\n\n### Desktop\n\n| Context / Surface                                                        | Multiplier |\n| ------------------------------------------------------------------------ | ---------- |\n| UI bugs, crash reports, logs without sensitive data                      | 1.0×       |\n| Authenticated interface with exchange or trading functions               | 1.1×       |\n| Sensitive data exposed (session tokens, keys)                            | 1.2×       |\n| Full compromise via desktop client (token theft + bypassing protections) | 1.3×       |\n\n# Quality \u0026 Context Modifiers\n\n### Additional Factors\n\n| Factor                | Range\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; | Description                                                                 |\n|------------------------|----------------|-----------------------------------------------------------------------------|\n| Exploit Reliability    | 0.5–1.0×  | Is the issue consistently reproducible? Reports that are unstable or device-specific may receive lower payouts. |\n| User interaction       | 0.5–1.0×  | How many steps must a victim take? Exploits requiring multiple clicks, context switches, or unusual actions may reduce payout. |\n| Exposure / coverage    | 0.3–1.0× | Does the issue affect most users, or only a very narrow cohort or edge case? Broader impact tends toward higher payouts within the band. |\n| Mitigation proximity   | 0.5–1.0× | Do existing controls (rate limits, approvals, alerts) significantly limit the practical risk? If so, payouts may be lowered. |\n\n# Vulnerability Evaluation Process\n**Step 1: Triage** for validity, reproducibility, and scope\n**Step 2: CVSS Baseline** - Apply CVSS where applicable\n**Step 3: Business Risk Evaluation **\n**Step 4: Quality \u0026 Context Modifiers**\n**Final Reward Tier** = Technical Severity + Business Impact + Quality \u0026 Context Modifiers\n\n# Reward Bonuses\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\n# Known issues\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":["{\"platform_standard\":\"VULNERABLE_NETWORK_CONNECTION_IN_CLIENT_APPLICATIONS\",\"justification\":null}","{\"platform_standard\":\"LEAKAGE_SENSITIVE_PII\",\"justification\":null}","{\"platform_standard\":\"IDOR\",\"justification\":null}","{\"platform_standard\":\"THIRD_PARTY_COMPONENTS_FOR_PROGRAMS_CONSUMING_THE_COMPONENT\",\"justification\":null}","{\"platform_standard\":\"SELF_SIGN_UP_CVSS_PR\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-29T08:15:26.529Z"},{"id":3773153,"new_policy":"About OKG:\n==============\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets\n=================\nOKG will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nLeaked \u0026 Exposed Credentials\n=================\nIf you discover credentials that appear to belong to OKG or OKX systems, please report them through HackerOne immediately. Include the source where the credentials were found, what system they relate to, and a screenshot as evidence.\n\nYou may authenticate once to confirm validity, then must immediately log out — without browsing, accessing data, or exercising any functionality. Anything beyond this is not covered by Safe Harbor.\n\nSeverity is based on the level of access the credential grants. Reports are rewarded per unique source provided the credentials were not illegally purchased. OKG reserves the right to determine reward eligibility based on the value and novelty of the report. For full platform guidelines, refer to [Bounty Awards for Discovered Leaked Credentials](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_83c05e1cc8).\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nNote: The classifications below are not exhaustive. If a valid vulnerability does not appear in this list, OKG will assess its severity and bounty eligibility using CVSS v3.1 and internal business impact analysis. This ensures fair and transparent evaluation of novel, creative, or edge-case vulnerabilities that may not be explicitly documented here.\n\n## Web2 Vulnerabilities\nFocus: Issues found on OKG web platforms (e.g., okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKG servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKG’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users\n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- Account Access at Scale: Unauthorised access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorised access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Vulnerabilities\nFocus: Issues found in OKX official mobile apps.\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKG infrastructure.\n- Mass Data Breach: Unauthorised access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking sensitive information stored or processed by the app.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorised transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorised Operations: Performing unauthorised transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorised access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\nFocus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High\n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorised access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\nFocus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.\n\n### Critical\n- Remote exploits on validators/contracts or admin takeovers.\n- Execute code on production infrastructure\n- Steal funds or exfiltrate sensitive data at scale\n- Fully bypass authentication or authorisation protections\n- Affect a majority of users, systems, or business-critical functions\n\n### High\n- Unauthorised access to sensitive user data or funds in limited scope\n- Takeover of accounts with specific user interaction\n- Smart contract exploits with financial impact requiring specific states\n\n### Medium\n- Smart contract bugs that require manual triggering and do not result in loss of funds directly\n- Wallet address manipulation that alters front-end display but not the transaction outcome\n- Replay of previously signed messages that need complex setup\n- Incorrect use of chainID, nonce, or gas calculations that lead to inefficiencies\n- DApp permission misuse that prompts for overbroad approvals, but user must accept\n\n### Low\n- RPC metadata disclosure without sensitive data or elevated access\n- Node instability causing UI refresh or sync delays, not affecting tx execution\n- Minor signature validation errors that cannot bypass permission\n- Smart contract function visibility issues (e.g., public vs external) that don’t affect logic\n- Typos or inaccurate dApp UI rendering not tied to transaction outcome\n\n---\n\n## Additional Guidelines\n- IDOR: Must demonstrate ID discovery path, not brute force only\n- Mobile: Report once per vulnerability across platforms (iOS/Android)\n- Wallet Extensions: Report once per vulnerability across platforms (Chrome/Edge/Safari)\n- Duplicates: Same issue in multiple assets = one report\n- False positives, low business impact, or non-exploitable bugs will not be rewarded but may be acknowledged\n- Compliance related reports will be assessed on a case by case basis\n- All reported vulnerabilities must be manually validated by the researcher in the specific context of our applications\n\n---\n\n## AI Usage \u0026 Disclosure  \n- Researchers must disclose any use of AI tools in vulnerability discovery, testing, or report writing.\n- AI tools may be used for drafting or tooling, but the vulnerability discovery, reproduction, and analysis must be independently validated by the researcher.\n- Reports that are clearly auto-generated, templated, or submitted without meaningful human verification (including unvalidated AI-generated reports) may be closed as Not Applicable or Spam, at OKG's discretion.\n\n---\n\n## Out of Scope\n- Reports from automated tools or scanners\n- False positive SQL Injection without a working PoC demonstrating DB/user name extraction\n- Spam vulnerabilities, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable libraries/components without a working PoC\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated or low-impact forms\n- Attacks requiring MITM, root/jailbreak, or physical access to a user’s device\n- Previously known vulnerable libraries without a working PoC\n- CSV injection without demonstrating exploitation\n- Missing SSL/TLS best practices (e.g. weak ciphers, protocol versions)\n- Denial of Service (DoS) or service disruption attempts\n- Content spoofing or text injection without HTML/CSS modification or attack vector\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing Content Security Policy best practices\n- Missing HttpOnly or Secure cookie flags\n- Missing or invalid SPF/DKIM/DMARC records\n- Vulnerabilities affecting only outdated/unpatched browsers (older than 2 stable versions)\n- Software version disclosure, banner info, stack traces, or verbose errors\n- Public 0-days with patches released less than 1 month ago (case-by-case)\n- Tabnabbing\n- Vulnerabilities requiring unlikely user interaction\n- Vulnerabilities already known to internal teams\n- Best practice recommendations (e.g. hardening suggestions)\n- WordPress-related vulnerabilities\n- DLL hijacking (all variants)\n- Rate-limit bypass by simply changing IP address or device ID\n- Address bar, URL, or domain spoofing within mobile in-app browsers (e.g., dApp or WebView-based browsers)\n- Sensitive data exposure on social media\n- Internal domain takeovers outside okx.com, okg.com, or oklink.com\n- Clients (desktop/mobile) not downloaded from official sources in scope\n- Proof of Reserves being reported as “sensitive document” leak\n- Reports based only on static analysis of binaries without PoC affecting business logic\n- Lack of obfuscation, binary protection, or jailbreak/root detection\n- Certificate pinning bypass on rooted/jailbroken devices\n- Missing exploit mitigations (e.g., PIE, ARC, Stack Canaries)\n- Sensitive data in URLs or request bodies when protected by TLS\n- Path disclosure in binaries\n- Hardcoded/recoverable app secrets in IPA/APK without business impact\n- Sensitive data stored in private app directory\n- App crashes from malformed URL schemes or exported components\n- Runtime exploits only possible in a rooted/jailbroken environment (e.g., via Frida)\n- Leaked shared links via clipboard\n- URI leaks caused by malicious apps with permissions\n- Exposure of API keys without demonstrated security impact (e.g., Google Maps API keys or keys found in our public GitHub repositories)\n- Third-party services (unless explicitly allowed)\n- Social engineering, spam, and physical attacks\n- Attacks requiring MITM or root/jailbreak access\n- Services not owned by OKG (e.g., cloud provider vulnerabilities)\n- Mobile/Desktop apps not downloaded from official channels\n- AI-generated vulnerability reports without human validation  \n- Reports that appear to be generated from automated tools or generic templates\n- Broken link hijacking for social media accounts\n\n# Discretionary “Extreme” Tier Bounties\nWhile our standard reward structure follows CVSS and business impact tiers (Low to Critical), OKG reserves the right to award **Extreme Tier bounties** at our sole discretion.\nExtreme Tier rewards are not tied to a fixed scoring scale. They reflect **extraordinary, edge-case vulnerabilities** with systemic or existential risk to OKG.\n\n**Criteria \u0026 Impact Examples**\n*   Rapid and unauthorised loss of funds \u003e $1 million (Example: exploit drains wallets, bypasses fund protections)\n*   Zero-interaction compromise of multiple wallets, admin systems, or validators\n*   Massive KYC/PII data breach with direct regulatory or reputational impact (Example: exposure of sensitive customer data, financial information)\n*   Systemic risk to platform availability, public trust, or market stability (Example: mass user account takeover, automated abuse of authentication flows)\n\n**Reward Range**\n*   **$30,000 up to $1,000,000+**, depending on severity, exploitability, and impact.\n*   Evaluated case-by-case using OKG’s internal incident response process.\n\n**Additional Considerations**\n*   Researcher reward decisions also take into account **technical complexity**, **speed of reporting**, **integrity**, and **responsible disclosure practices**.\n\n# Business Risk Scoring Guide\nNote: To ensure fairness when evaluating vulnerabilities that do not directly affect funds, OKG uses a weighted business impact model that considers Fund Impact, Reputation Risk, and Compliance Risk. Business-risk multipliers adjust placement within the payout range of the assigned severity band; they do not move a report to another band.\n\n### Web2\n\n| Context / Surface                                              | Multiplier |\n|---------------------------------------------------------------|------------|\n| Static unauthenticated pages (marketing, FAQ, terms)           | 1.0×   |\n| Login/register/reset flows with minor issues (open redirect)   | 1.1×  |\n| Authenticated user dashboard (no sensitive data)               | 1.2×       |\n| Authenticated page with PII, order history, personal data      | 1.3×       |\n| Session compromise (stealing cookies/JWTs)                     | 1.3×       |\n| Authenticated page handling account/fund actions (withdrawal, API, trading) | 1.4× |\n| Admin panel or internal tool with sensitive operations | 1.5× |\n\n### Web3\n\n| Context / Surface                                                                  | Multiplier |\n|-----------------------------------------------------------------------------------|------------|\n| Wallet connect / signature request with no security impact                         | 1.0×       |\n| dApp UI with reflected input but no transaction risk                               | 1.1×       |\n| dApp (wallet-connected) leaking balances or transaction history                    | 1.2×       |\n| dApp allowing spoofed signature prompts / phishing-style UX                        | 1.3×       |\n| Smart contract dashboards (staking, governance, etc.) with sensitive UI actions    | 1.4×       |\n| XSS leading to wallet signature hijack / transaction injection                     | 1.5×       |\n\n### Mobile\n\n| Context / Surface                                                           | Multiplier |\n|-----------------------------------------------------------------------------|------------|\n| UI issues, clipboard access without sensitive data                          | 1.0×       |\n| Exposure of non-sensitive info (OS version, device model)                   | 1.1×       |\n| Authenticated views with general account data                               | 1.2×       |\n| Sensitive data exposed via logging, screenshots, or memory                  | 1.3×       |\n| WebView issues affecting auth/transaction flow or phishing                  | 1.4×       |\n| Authenticated views with fund transfer, session token, or private key exposure | 1.5×    |\n\n### Desktop\n\n| Context / Surface                                                        | Multiplier |\n| ------------------------------------------------------------------------ | ---------- |\n| UI bugs, crash reports, logs without sensitive data                      | 1.0×       |\n| Authenticated interface with exchange or trading functions               | 1.1×       |\n| Sensitive data exposed (session tokens, keys)                            | 1.2×       |\n| Full compromise via desktop client (token theft + bypassing protections) | 1.3×       |\n\n# Quality \u0026 Context Modifiers\n\n### Additional Factors\n\n| Factor                | Range\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; | Description                                                                 |\n|------------------------|----------------|-----------------------------------------------------------------------------|\n| Exploit Reliability    | 0.5–1.0×  | Is the issue consistently reproducible? Reports that are unstable or device-specific may receive lower payouts. |\n| User interaction       | 0.5–1.0×  | How many steps must a victim take? Exploits requiring multiple clicks, context switches, or unusual actions may reduce payout. |\n| Exposure / coverage    | 0.3–1.0× | Does the issue affect most users, or only a very narrow cohort or edge case? Broader impact tends toward higher payouts within the band. |\n| Mitigation proximity   | 0.5–1.0× | Do existing controls (rate limits, approvals, alerts) significantly limit the practical risk? If so, payouts may be lowered. |\n\n# Vulnerability Evaluation Process\n**Step 1: Triage** for validity, reproducibility, and scope\n**Step 2: CVSS Baseline** - Apply CVSS where applicable\n**Step 3: Business Risk Evaluation **\n**Step 4: Quality \u0026 Context Modifiers**\n**Final Reward Tier** = Technical Severity + Business Impact + Quality \u0026 Context Modifiers\n\n# Reward Bonuses\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\n# Known issues\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}","{\"platform_standard\":\"THIRD_PARTY_COMPONENTS_FOR_PROGRAMS_CONSUMING_THE_COMPONENT\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-27T03:09:23.850Z"},{"id":3771971,"new_policy":"About OKG:\n==============\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets\n=================\nOKG will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nLeaked \u0026 Exposed Credentials\n=================\nIf you discover credentials that appear to belong to OKG or OKX systems, please report them through HackerOne immediately. Include the source where the credentials were found, what system they relate to, and a screenshot as evidence.\n\nYou may authenticate once to confirm validity, then must immediately log out — without browsing, accessing data, or exercising any functionality. Anything beyond this is not covered by Safe Harbor.\n\nSeverity is based on the level of access the credential grants. Reports are rewarded per unique source provided the credentials were not illegally purchased. OKG reserves the right to determine reward eligibility based on the value and novelty of the report. For full platform guidelines, refer to [Bounty Awards for Discovered Leaked Credentials](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_83c05e1cc8).\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nNote: The classifications below are not exhaustive. If a valid vulnerability does not appear in this list, OKG will assess its severity and bounty eligibility using CVSS v3.1 and internal business impact analysis. This ensures fair and transparent evaluation of novel, creative, or edge-case vulnerabilities that may not be explicitly documented here.\n\n## Web2 Vulnerabilities\nFocus: Issues found on OKG web platforms (e.g., okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKG servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKG’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users\n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- Account Access at Scale: Unauthorised access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorised access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Vulnerabilities\nFocus: Issues found in OKX official mobile apps.\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKG infrastructure.\n- Mass Data Breach: Unauthorised access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking sensitive information stored or processed by the app.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorised transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorised Operations: Performing unauthorised transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorised access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\nFocus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High\n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorised access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\nFocus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.\n\n### Critical\n- Remote exploits on validators/contracts or admin takeovers.\n- Execute code on production infrastructure\n- Steal funds or exfiltrate sensitive data at scale\n- Fully bypass authentication or authorisation protections\n- Affect a majority of users, systems, or business-critical functions\n\n### High\n- Unauthorised access to sensitive user data or funds in limited scope\n- Takeover of accounts with specific user interaction\n- Smart contract exploits with financial impact requiring specific states\n\n### Medium\n- Smart contract bugs that require manual triggering and do not result in loss of funds directly\n- Wallet address manipulation that alters front-end display but not the transaction outcome\n- Replay of previously signed messages that need complex setup\n- Incorrect use of chainID, nonce, or gas calculations that lead to inefficiencies\n- DApp permission misuse that prompts for overbroad approvals, but user must accept\n\n### Low\n- RPC metadata disclosure without sensitive data or elevated access\n- Node instability causing UI refresh or sync delays, not affecting tx execution\n- Minor signature validation errors that cannot bypass permission\n- Smart contract function visibility issues (e.g., public vs external) that don’t affect logic\n- Typos or inaccurate dApp UI rendering not tied to transaction outcome\n\n---\n\n## Additional Guidelines\n- IDOR: Must demonstrate ID discovery path, not brute force only\n- Mobile: Report once per vulnerability across platforms (iOS/Android)\n- Wallet Extensions: Report once per vulnerability across platforms (Chrome/Edge/Safari)\n- Duplicates: Same issue in multiple assets = one report\n- False positives, low business impact, or non-exploitable bugs will not be rewarded but may be acknowledged\n- Compliance related reports will be assessed on a case by case basis\n- All reported vulnerabilities must be manually validated by the researcher in the specific context of our applications\n\n---\n\n## AI Usage \u0026 Disclosure  \n- Researchers must disclose any use of AI tools in vulnerability discovery, testing, or report writing.\n- AI tools may be used for drafting or tooling, but the vulnerability discovery, reproduction, and analysis must be independently validated by the researcher.\n- Reports that are clearly auto-generated, templated, or submitted without meaningful human verification (including unvalidated AI-generated reports) may be closed as Not Applicable or Spam, at OKG's discretion.\n\n---\n\n## Out of Scope\n- Reports from automated tools or scanners\n- False positive SQL Injection without a working PoC demonstrating DB/user name extraction\n- Spam vulnerabilities, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable libraries/components without a working PoC\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated or low-impact forms\n- Attacks requiring MITM, root/jailbreak, or physical access to a user’s device\n- Previously known vulnerable libraries without a working PoC\n- CSV injection without demonstrating exploitation\n- Missing SSL/TLS best practices (e.g. weak ciphers, protocol versions)\n- Denial of Service (DoS) or service disruption attempts\n- Content spoofing or text injection without HTML/CSS modification or attack vector\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing Content Security Policy best practices\n- Missing HttpOnly or Secure cookie flags\n- Missing or invalid SPF/DKIM/DMARC records\n- Vulnerabilities affecting only outdated/unpatched browsers (older than 2 stable versions)\n- Software version disclosure, banner info, stack traces, or verbose errors\n- Public 0-days with patches released less than 1 month ago (case-by-case)\n- Tabnabbing\n- Vulnerabilities requiring unlikely user interaction\n- Vulnerabilities already known to internal teams\n- Best practice recommendations (e.g. hardening suggestions)\n- WordPress-related vulnerabilities\n- DLL hijacking (all variants)\n- Rate-limit bypass by simply changing IP address or device ID\n- Address bar, URL, or domain spoofing within mobile in-app browsers (e.g., dApp or WebView-based browsers)\n- Sensitive data exposure on social media\n- Internal domain takeovers outside okx.com, okg.com, or oklink.com\n- Clients (desktop/mobile) not downloaded from official sources in scope\n- Proof of Reserves being reported as “sensitive document” leak\n- Reports based only on static analysis of binaries without PoC affecting business logic\n- Lack of obfuscation, binary protection, or jailbreak/root detection\n- Certificate pinning bypass on rooted/jailbroken devices\n- Missing exploit mitigations (e.g., PIE, ARC, Stack Canaries)\n- Sensitive data in URLs or request bodies when protected by TLS\n- Path disclosure in binaries\n- Hardcoded/recoverable app secrets in IPA/APK without business impact\n- Sensitive data stored in private app directory\n- App crashes from malformed URL schemes or exported components\n- Runtime exploits only possible in a rooted/jailbroken environment (e.g., via Frida)\n- Leaked shared links via clipboard\n- URI leaks caused by malicious apps with permissions\n- Exposure of API keys without demonstrated security impact (e.g., Google Maps API keys or keys found in our public GitHub repositories)\n- Third-party services (unless explicitly allowed)\n- Social engineering, spam, and physical attacks\n- Attacks requiring MITM or root/jailbreak access\n- Services not owned by OKG (e.g., cloud provider vulnerabilities)\n- Mobile/Desktop apps not downloaded from official channels\n- AI-generated vulnerability reports without human validation  \n- Reports that appear to be generated from automated tools or generic templates\n\n# Discretionary “Extreme” Tier Bounties\nWhile our standard reward structure follows CVSS and business impact tiers (Low to Critical), OKG reserves the right to award **Extreme Tier bounties** at our sole discretion.\nExtreme Tier rewards are not tied to a fixed scoring scale. They reflect **extraordinary, edge-case vulnerabilities** with systemic or existential risk to OKG.\n\n**Criteria \u0026 Impact Examples**\n*   Rapid and unauthorised loss of funds \u003e $1 million (Example: exploit drains wallets, bypasses fund protections)\n*   Zero-interaction compromise of multiple wallets, admin systems, or validators\n*   Massive KYC/PII data breach with direct regulatory or reputational impact (Example: exposure of sensitive customer data, financial information)\n*   Systemic risk to platform availability, public trust, or market stability (Example: mass user account takeover, automated abuse of authentication flows)\n\n**Reward Range**\n*   **$30,000 up to $1,000,000+**, depending on severity, exploitability, and impact.\n*   Evaluated case-by-case using OKG’s internal incident response process.\n\n**Additional Considerations**\n*   Researcher reward decisions also take into account **technical complexity**, **speed of reporting**, **integrity**, and **responsible disclosure practices**.\n\n# Business Risk Scoring Guide\nNote: To ensure fairness when evaluating vulnerabilities that do not directly affect funds, OKG uses a weighted business impact model that considers Fund Impact, Reputation Risk, and Compliance Risk. Business-risk multipliers adjust placement within the payout range of the assigned severity band; they do not move a report to another band.\n\n### Web2\n\n| Context / Surface                                              | Multiplier |\n|---------------------------------------------------------------|------------|\n| Static unauthenticated pages (marketing, FAQ, terms)           | 1.0×   |\n| Login/register/reset flows with minor issues (open redirect)   | 1.1×  |\n| Authenticated user dashboard (no sensitive data)               | 1.2×       |\n| Authenticated page with PII, order history, personal data      | 1.3×       |\n| Session compromise (stealing cookies/JWTs)                     | 1.3×       |\n| Authenticated page handling account/fund actions (withdrawal, API, trading) | 1.4× |\n| Admin panel or internal tool with sensitive operations | 1.5× |\n\n### Web3\n\n| Context / Surface                                                                  | Multiplier |\n|-----------------------------------------------------------------------------------|------------|\n| Wallet connect / signature request with no security impact                         | 1.0×       |\n| dApp UI with reflected input but no transaction risk                               | 1.1×       |\n| dApp (wallet-connected) leaking balances or transaction history                    | 1.2×       |\n| dApp allowing spoofed signature prompts / phishing-style UX                        | 1.3×       |\n| Smart contract dashboards (staking, governance, etc.) with sensitive UI actions    | 1.4×       |\n| XSS leading to wallet signature hijack / transaction injection                     | 1.5×       |\n\n### Mobile\n\n| Context / Surface                                                           | Multiplier |\n|-----------------------------------------------------------------------------|------------|\n| UI issues, clipboard access without sensitive data                          | 1.0×       |\n| Exposure of non-sensitive info (OS version, device model)                   | 1.1×       |\n| Authenticated views with general account data                               | 1.2×       |\n| Sensitive data exposed via logging, screenshots, or memory                  | 1.3×       |\n| WebView issues affecting auth/transaction flow or phishing                  | 1.4×       |\n| Authenticated views with fund transfer, session token, or private key exposure | 1.5×    |\n\n### Desktop\n\n| Context / Surface                                                        | Multiplier |\n| ------------------------------------------------------------------------ | ---------- |\n| UI bugs, crash reports, logs without sensitive data                      | 1.0×       |\n| Authenticated interface with exchange or trading functions               | 1.1×       |\n| Sensitive data exposed (session tokens, keys)                            | 1.2×       |\n| Full compromise via desktop client (token theft + bypassing protections) | 1.3×       |\n\n# Quality \u0026 Context Modifiers\n\n### Additional Factors\n\n| Factor                | Range\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; | Description                                                                 |\n|------------------------|----------------|-----------------------------------------------------------------------------|\n| Exploit Reliability    | 0.5–1.0×  | Is the issue consistently reproducible? Reports that are unstable or device-specific may receive lower payouts. |\n| User interaction       | 0.5–1.0×  | How many steps must a victim take? Exploits requiring multiple clicks, context switches, or unusual actions may reduce payout. |\n| Exposure / coverage    | 0.3–1.0× | Does the issue affect most users, or only a very narrow cohort or edge case? Broader impact tends toward higher payouts within the band. |\n| Mitigation proximity   | 0.5–1.0× | Do existing controls (rate limits, approvals, alerts) significantly limit the practical risk? If so, payouts may be lowered. |\n\n# Vulnerability Evaluation Process\n**Step 1: Triage** for validity, reproducibility, and scope\n**Step 2: CVSS Baseline** - Apply CVSS where applicable\n**Step 3: Business Risk Evaluation **\n**Step 4: Quality \u0026 Context Modifiers**\n**Final Reward Tier** = Technical Severity + Business Impact + Quality \u0026 Context Modifiers\n\n# Reward Bonuses\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\n# Known issues\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}","{\"platform_standard\":\"THIRD_PARTY_COMPONENTS_FOR_PROGRAMS_CONSUMING_THE_COMPONENT\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-01T08:57:20.130Z"},{"id":3768567,"new_policy":"About OKG:\n==============\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\n# Response Targets\nOKG will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nNote: The classifications below are not exhaustive. If a valid vulnerability does not appear in this list, OKG will assess its severity and bounty eligibility using CVSS v3.1 and internal business impact analysis. This ensures fair and transparent evaluation of novel, creative, or edge-case vulnerabilities that may not be explicitly documented here.\n\n## Web2 Vulnerabilities\nFocus: Issues found on OKG web platforms (e.g., okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKG servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKG’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users\n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- Account Access at Scale: Unauthorised access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorised access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Vulnerabilities\nFocus: Issues found in OKX official mobile apps.\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKG infrastructure.\n- Mass Data Breach: Unauthorised access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking sensitive information stored or processed by the app.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorised transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorised Operations: Performing unauthorised transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorised access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\nFocus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High\n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorised access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\nFocus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.\n\n### Critical\n- Remote exploits on validators/contracts or admin takeovers.\n- Execute code on production infrastructure\n- Steal funds or exfiltrate sensitive data at scale\n- Fully bypass authentication or authorisation protections\n- Affect a majority of users, systems, or business-critical functions\n\n### High\n- Unauthorised access to sensitive user data or funds in limited scope\n- Takeover of accounts with specific user interaction\n- Smart contract exploits with financial impact requiring specific states\n\n### Medium\n- Smart contract bugs that require manual triggering and do not result in loss of funds directly\n- Wallet address manipulation that alters front-end display but not the transaction outcome\n- Replay of previously signed messages that need complex setup\n- Incorrect use of chainID, nonce, or gas calculations that lead to inefficiencies\n- DApp permission misuse that prompts for overbroad approvals, but user must accept\n\n### Low\n- RPC metadata disclosure without sensitive data or elevated access\n- Node instability causing UI refresh or sync delays, not affecting tx execution\n- Minor signature validation errors that cannot bypass permission\n- Smart contract function visibility issues (e.g., public vs external) that don’t affect logic\n- Typos or inaccurate dApp UI rendering not tied to transaction outcome\n\n---\n\n## Additional Guidelines\n- IDOR: Must demonstrate ID discovery path, not brute force only\n- Mobile: Report once per vulnerability across platforms (iOS/Android)\n- Wallet Extensions: Report once per vulnerability across platforms (Chrome/Edge/Safari)\n- Duplicates: Same issue in multiple assets = one report\n- False positives, low business impact, or non-exploitable bugs will not be rewarded but may be acknowledged\n- Compliance related reports will be assessed on a case by case basis\n- All reported vulnerabilities must be manually validated by the researcher in the specific context of our applications\n\n---\n\n## AI Usage \u0026 Disclosure  \n- Researchers must disclose any use of AI tools in vulnerability discovery, testing, or report writing.  \n- Regardless of AI assistance, reports must demonstrate genuine human analysis, understanding, and validation of the vulnerability in our specific context.\n- Reports that are clearly auto-generated, templated, or submitted without meaningful human verification (including unvalidated AI-generated reports) may be closed as Not Applicable or Spam, at OKG’s discretion.\n\n---\n\n## Out of Scope\n- Reports from automated tools or scanners\n- False positive SQL Injection without a working PoC demonstrating DB/user name extraction\n- Spam vulnerabilities, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable libraries/components without a working PoC\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated or low-impact forms\n- Attacks requiring MITM, root/jailbreak, or physical access to a user’s device\n- Previously known vulnerable libraries without a working PoC\n- CSV injection without demonstrating exploitation\n- Missing SSL/TLS best practices (e.g. weak ciphers, protocol versions)\n- Denial of Service (DoS) or service disruption attempts\n- Content spoofing or text injection without HTML/CSS modification or attack vector\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing Content Security Policy best practices\n- Missing HttpOnly or Secure cookie flags\n- Missing or invalid SPF/DKIM/DMARC records\n- Vulnerabilities affecting only outdated/unpatched browsers (older than 2 stable versions)\n- Software version disclosure, banner info, stack traces, or verbose errors\n- Public 0-days with patches released less than 1 month ago (case-by-case)\n- Tabnabbing\n- Vulnerabilities requiring unlikely user interaction\n- Vulnerabilities already known to internal teams\n- Best practice recommendations (e.g. hardening suggestions)\n- WordPress-related vulnerabilities\n- DLL hijacking without demonstrating privilege escalation\n- Rate-limit bypass by simply changing IP address or device ID\n- Address bar, URL, or domain spoofing within mobile in-app browsers (e.g., dApp or WebView-based browsers)\n- Sensitive data exposure on social media\n- Internal domain takeovers outside okx.com, okg.com, or oklink.com\n- Clients (desktop/mobile) not downloaded from official sources in scope\n- Proof of Reserves being reported as “sensitive document” leak\n- Reports based only on static analysis of binaries without PoC affecting business logic\n- Lack of obfuscation, binary protection, or jailbreak/root detection\n- Certificate pinning bypass on rooted/jailbroken devices\n- Missing exploit mitigations (e.g., PIE, ARC, Stack Canaries)\n- Sensitive data in URLs or request bodies when protected by TLS\n- Path disclosure in binaries\n- Hardcoded/recoverable app secrets in IPA/APK without business impact\n- Sensitive data stored in private app directory\n- App crashes from malformed URL schemes or exported components\n- Runtime exploits only possible in a rooted/jailbroken environment (e.g., via Frida)\n- Leaked shared links via clipboard\n- URI leaks caused by malicious apps with permissions\n- Exposure of API keys without demonstrated security impact (e.g., Google Maps API keys or keys found in our public GitHub repositories)\n- Third-party services (unless explicitly allowed)\n- Social engineering, spam, and physical attacks\n- Attacks requiring MITM or root/jailbreak access\n- Services not owned by OKG (e.g., cloud provider vulnerabilities)\n- Mobile/Desktop apps not downloaded from official channels\n- AI-generated vulnerability reports without human validation  \n- Reports that appear to be generated from automated tools or generic templates\n\n# Discretionary “Extreme” Tier Bounties\nWhile our standard reward structure follows CVSS and business impact tiers (Low to Critical), OKG reserves the right to award **Extreme Tier bounties** at our sole discretion.\nExtreme Tier rewards are not tied to a fixed scoring scale. They reflect **extraordinary, edge-case vulnerabilities** with systemic or existential risk to OKG.\n\n**Criteria \u0026 Impact Examples**\n*   Rapid and unauthorised loss of funds \u003e $1 million (Example: exploit drains wallets, bypasses fund protections)\n*   Zero-interaction compromise of multiple wallets, admin systems, or validators\n*   Massive KYC/PII data breach with direct regulatory or reputational impact (Example: exposure of sensitive customer data, financial information)\n*   Systemic risk to platform availability, public trust, or market stability (Example: mass user account takeover, automated abuse of authentication flows)\n\n**Reward Range**\n*   **$30,000 up to $1,000,000+**, depending on severity, exploitability, and impact.\n*   Evaluated case-by-case using OKG’s internal incident response process.\n\n**Additional Considerations**\n*   Researcher reward decisions also take into account **technical complexity**, **speed of reporting**, **integrity**, and **responsible disclosure practices**.\n\n# Business Risk Scoring Guide\nNote: To ensure fairness when evaluating vulnerabilities that do not directly affect funds, OKG uses a weighted business impact model that considers Fund Impact, Reputation Risk, and Compliance Risk. Business-risk multipliers adjust placement within the payout range of the assigned severity band; they do not move a report to another band.\n\n### Web2\n\n| Context / Surface                                              | Multiplier |\n|---------------------------------------------------------------|------------|\n| Static unauthenticated pages (marketing, FAQ, terms)           | 1.0×   |\n| Login/register/reset flows with minor issues (open redirect)   | 1.1×  |\n| Authenticated user dashboard (no sensitive data)               | 1.2×       |\n| Authenticated page with PII, order history, personal data      | 1.3×       |\n| Session compromise (stealing cookies/JWTs)                     | 1.3×       |\n| Authenticated page handling account/fund actions (withdrawal, API, trading) | 1.4× |\n| Admin panel or internal tool with sensitive operations | 1.5× |\n\n### Web3\n\n| Context / Surface                                                                  | Multiplier |\n|-----------------------------------------------------------------------------------|------------|\n| Wallet connect / signature request with no security impact                         | 1.0×       |\n| dApp UI with reflected input but no transaction risk                               | 1.1×       |\n| dApp (wallet-connected) leaking balances or transaction history                    | 1.2×       |\n| dApp allowing spoofed signature prompts / phishing-style UX                        | 1.3×       |\n| Smart contract dashboards (staking, governance, etc.) with sensitive UI actions    | 1.4×       |\n| XSS leading to wallet signature hijack / transaction injection                     | 1.5×       |\n\n### Mobile\n\n| Context / Surface                                                           | Multiplier |\n|-----------------------------------------------------------------------------|------------|\n| UI issues, clipboard access without sensitive data                          | 1.0×       |\n| Exposure of non-sensitive info (OS version, device model)                   | 1.1×       |\n| Authenticated views with general account data                               | 1.2×       |\n| Sensitive data exposed via logging, screenshots, or memory                  | 1.3×       |\n| WebView issues affecting auth/transaction flow or phishing                  | 1.4×       |\n| Authenticated views with fund transfer, session token, or private key exposure | 1.5×    |\n\n### Desktop\n\n| Context / Surface                                                               | Multiplier |\n|--------------------------------------------------------------------------------|------------|\n| UI bugs, crash reports, logs without sensitive data                            | 1.0×       |\n| DLL hijack with proven privilege escalation path                               | 1.1×       |\n| Authenticated interface with exchange or trading functions                     | 1.2×       |\n| Sensitive data exposed (session tokens, keys)                                  | 1.3×       |\n| Full compromise via desktop client (token theft + bypassing protections)       | 1.4×       |\n\n# Quality \u0026 Context Modifiers\n\n### Additional Factors\n\n| Factor                | Range\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; | Description                                                                 |\n|------------------------|----------------|-----------------------------------------------------------------------------|\n| Exploit Reliability    | 0.5–1.0×  | Is the issue consistently reproducible? Reports that are unstable or device-specific may receive lower payouts. |\n| User interaction       | 0.5–1.0×  | How many steps must a victim take? Exploits requiring multiple clicks, context switches, or unusual actions may reduce payout. |\n| Exposure / coverage    | 0.3–1.0× | Does the issue affect most users, or only a very narrow cohort or edge case? Broader impact tends toward higher payouts within the band. |\n| Mitigation proximity   | 0.5–1.0× | Do existing controls (rate limits, approvals, alerts) significantly limit the practical risk? If so, payouts may be lowered. |\n\n# Vulnerability Evaluation Process\n**Step 1: Triage** for validity, reproducibility, and scope\n**Step 2: CVSS Baseline** - Apply CVSS where applicable\n**Step 3: Business Risk Evaluation **\n**Step 4: Quality \u0026 Context Modifiers**\n**Final Reward Tier** = Technical Severity + Business Impact + Quality \u0026 Context Modifiers\n\n# Reward Bonuses\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\n# Known issues\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}","{\"platform_standard\":\"THIRD_PARTY_COMPONENTS_FOR_PROGRAMS_CONSUMING_THE_COMPONENT\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-21T06:52:26.662Z"},{"id":3768566,"new_policy":"About OKG:\n==============\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\n# Response Targets\nOKG will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nNote: The classifications below are not exhaustive. If a valid vulnerability does not appear in this list, OKG will assess its severity and bounty eligibility using CVSS v3.1 and internal business impact analysis. This ensures fair and transparent evaluation of novel, creative, or edge-case vulnerabilities that may not be explicitly documented here.\n\n## Web2 Vulnerabilities\nFocus: Issues found on OKG web platforms (e.g., okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKX servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKX’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users\n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- Account Access at Scale: Unauthorised access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorised access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Vulnerabilities\nFocus: Issues found in OKX official mobile apps.\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKX infrastructure.\n- Mass Data Breach: Unauthorised access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking sensitive information stored or processed by the app.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorised transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorised Operations: Performing unauthorised transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorised access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\nFocus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High\n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorised access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\nFocus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.\n\n### Critical\n- Remote exploits on validators/contracts or admin takeovers.\n- Execute code on production infrastructure\n- Steal funds or exfiltrate sensitive data at scale\n- Fully bypass authentication or authorisation protections\n- Affect a majority of users, systems, or business-critical functions\n\n### High\n- Unauthorised access to sensitive user data or funds in limited scope\n- Takeover of accounts with specific user interaction\n- Smart contract exploits with financial impact requiring specific states\n\n### Medium\n- Smart contract bugs that require manual triggering and do not result in loss of funds directly\n- Wallet address manipulation that alters front-end display but not the transaction outcome\n- Replay of previously signed messages that need complex setup\n- Incorrect use of chainID, nonce, or gas calculations that lead to inefficiencies\n- DApp permission misuse that prompts for overbroad approvals, but user must accept\n\n### Low\n- RPC metadata disclosure without sensitive data or elevated access\n- Node instability causing UI refresh or sync delays, not affecting tx execution\n- Minor signature validation errors that cannot bypass permission\n- Smart contract function visibility issues (e.g., public vs external) that don’t affect logic\n- Typos or inaccurate dApp UI rendering not tied to transaction outcome\n\n---\n\n## Additional Guidelines\n- IDOR: Must demonstrate ID discovery path, not brute force only\n- Mobile: Report once per vulnerability across platforms (iOS/Android)\n- Wallet Extensions: Report once per vulnerability across platforms (Chrome/Edge/Safari)\n- Duplicates: Same issue in multiple assets = one report\n- False positives, low business impact, or non-exploitable bugs will not be rewarded but may be acknowledged\n- Compliance related reports will be assessed on a case by case basis\n- All reported vulnerabilities must be manually validated by the researcher in the specific context of our applications\n\n---\n\n## AI Usage \u0026 Disclosure  \n- Researchers must disclose any use of AI tools in vulnerability discovery, testing, or report writing.  \n- Regardless of AI assistance, reports must demonstrate genuine human analysis, understanding, and validation of the vulnerability in our specific context.\n- Reports that are clearly auto-generated, templated, or submitted without meaningful human verification (including unvalidated AI-generated reports) may be closed as Not Applicable or Spam, at OKG’s discretion.\n\n---\n\n## Out of Scope\n- Reports from automated tools or scanners\n- False positive SQL Injection without a working PoC demonstrating DB/user name extraction\n- Spam vulnerabilities, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable libraries/components without a working PoC\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated or low-impact forms\n- Attacks requiring MITM, root/jailbreak, or physical access to a user’s device\n- Previously known vulnerable libraries without a working PoC\n- CSV injection without demonstrating exploitation\n- Missing SSL/TLS best practices (e.g. weak ciphers, protocol versions)\n- Denial of Service (DoS) or service disruption attempts\n- Content spoofing or text injection without HTML/CSS modification or attack vector\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing Content Security Policy best practices\n- Missing HttpOnly or Secure cookie flags\n- Missing or invalid SPF/DKIM/DMARC records\n- Vulnerabilities affecting only outdated/unpatched browsers (older than 2 stable versions)\n- Software version disclosure, banner info, stack traces, or verbose errors\n- Public 0-days with patches released less than 1 month ago (case-by-case)\n- Tabnabbing\n- Vulnerabilities requiring unlikely user interaction\n- Vulnerabilities already known to internal teams\n- Best practice recommendations (e.g. hardening suggestions)\n- WordPress-related vulnerabilities\n- DLL hijacking without demonstrating privilege escalation\n- Rate-limit bypass by simply changing IP address or device ID\n- Address bar, URL, or domain spoofing within mobile in-app browsers (e.g., dApp or WebView-based browsers)\n- Sensitive data exposure on social media\n- Internal domain takeovers outside okx.com, okg.com, or oklink.com\n- Clients (desktop/mobile) not downloaded from official sources in scope\n- Proof of Reserves being reported as “sensitive document” leak\n- Reports based only on static analysis of binaries without PoC affecting business logic\n- Lack of obfuscation, binary protection, or jailbreak/root detection\n- Certificate pinning bypass on rooted/jailbroken devices\n- Missing exploit mitigations (e.g., PIE, ARC, Stack Canaries)\n- Sensitive data in URLs or request bodies when protected by TLS\n- Path disclosure in binaries\n- Hardcoded/recoverable app secrets in IPA/APK without business impact\n- Sensitive data stored in private app directory\n- App crashes from malformed URL schemes or exported components\n- Runtime exploits only possible in a rooted/jailbroken environment (e.g., via Frida)\n- Leaked shared links via clipboard\n- URI leaks caused by malicious apps with permissions\n- Exposure of API keys without demonstrated security impact (e.g., Google Maps API keys or keys found in our public GitHub repositories)\n- Third-party services (unless explicitly allowed)\n- Social engineering, spam, and physical attacks\n- Attacks requiring MITM or root/jailbreak access\n- Services not owned by OKX (e.g., cloud provider vulnerabilities)\n- Mobile/Desktop apps not downloaded from official channels\n- AI-generated vulnerability reports without human validation  \n- Reports that appear to be generated from automated tools or generic templates\n\n# Discretionary “Extreme” Tier Bounties\nWhile our standard reward structure follows CVSS and business impact tiers (Low to Critical), OKX reserves the right to award **Extreme Tier bounties** at our sole discretion.\nExtreme Tier rewards are not tied to a fixed scoring scale. They reflect **extraordinary, edge-case vulnerabilities** with systemic or existential risk to OKX.\n\n**Criteria \u0026 Impact Examples**\n*   Rapid and unauthorised loss of funds \u003e $1 million (Example: exploit drains wallets, bypasses fund protections)\n*   Zero-interaction compromise of multiple wallets, admin systems, or validators\n*   Massive KYC/PII data breach with direct regulatory or reputational impact (Example: exposure of sensitive customer data, financial information)\n*   Systemic risk to platform availability, public trust, or market stability (Example: mass user account takeover, automated abuse of authentication flows)\n\n**Reward Range**\n*   **$30,000 up to $1,000,000+**, depending on severity, exploitability, and impact.\n*   Evaluated case-by-case using OKX’s internal incident response process.\n\n**Additional Considerations**\n*   Researcher reward decisions also take into account **technical complexity**, **speed of reporting**, **integrity**, and **responsible disclosure practices**.\n\n# Business Risk Scoring Guide\nNote: To ensure fairness when evaluating vulnerabilities that do not directly affect funds, OKX uses a weighted business impact model that considers Fund Impact, Reputation Risk, and Compliance Risk. Business-risk multipliers adjust placement within the payout range of the assigned severity band; they do not move a report to another band.\n\n### Web2\n\n| Context / Surface                                              | Multiplier |\n|---------------------------------------------------------------|------------|\n| Static unauthenticated pages (marketing, FAQ, terms)           | 1.0×   |\n| Login/register/reset flows with minor issues (open redirect)   | 1.1×  |\n| Authenticated user dashboard (no sensitive data)               | 1.2×       |\n| Authenticated page with PII, order history, personal data      | 1.3×       |\n| Session compromise (stealing cookies/JWTs)                     | 1.3×       |\n| Authenticated page handling account/fund actions (withdrawal, API, trading) | 1.4× |\n| Admin panel or internal tool with sensitive operations | 1.5× |\n\n### Web3\n\n| Context / Surface                                                                  | Multiplier |\n|-----------------------------------------------------------------------------------|------------|\n| Wallet connect / signature request with no security impact                         | 1.0×       |\n| dApp UI with reflected input but no transaction risk                               | 1.1×       |\n| dApp (wallet-connected) leaking balances or transaction history                    | 1.2×       |\n| dApp allowing spoofed signature prompts / phishing-style UX                        | 1.3×       |\n| Smart contract dashboards (staking, governance, etc.) with sensitive UI actions    | 1.4×       |\n| XSS leading to wallet signature hijack / transaction injection                     | 1.5×       |\n\n### Mobile\n\n| Context / Surface                                                           | Multiplier |\n|-----------------------------------------------------------------------------|------------|\n| UI issues, clipboard access without sensitive data                          | 1.0×       |\n| Exposure of non-sensitive info (OS version, device model)                   | 1.1×       |\n| Authenticated views with general account data                               | 1.2×       |\n| Sensitive data exposed via logging, screenshots, or memory                  | 1.3×       |\n| WebView issues affecting auth/transaction flow or phishing                  | 1.4×       |\n| Authenticated views with fund transfer, session token, or private key exposure | 1.5×    |\n\n### Desktop\n\n| Context / Surface                                                               | Multiplier |\n|--------------------------------------------------------------------------------|------------|\n| UI bugs, crash reports, logs without sensitive data                            | 1.0×       |\n| DLL hijack with proven privilege escalation path                               | 1.1×       |\n| Authenticated interface with exchange or trading functions                     | 1.2×       |\n| Sensitive data exposed (session tokens, keys)                                  | 1.3×       |\n| Full compromise via desktop client (token theft + bypassing protections)       | 1.4×       |\n\n# Quality \u0026 Context Modifiers\n\n### Additional Factors\n\n| Factor                | Range\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; | Description                                                                 |\n|------------------------|----------------|-----------------------------------------------------------------------------|\n| Exploit Reliability    | 0.5–1.0×  | Is the issue consistently reproducible? Reports that are unstable or device-specific may receive lower payouts. |\n| User interaction       | 0.5–1.0×  | How many steps must a victim take? Exploits requiring multiple clicks, context switches, or unusual actions may reduce payout. |\n| Exposure / coverage    | 0.3–1.0× | Does the issue affect most users, or only a very narrow cohort or edge case? Broader impact tends toward higher payouts within the band. |\n| Mitigation proximity   | 0.5–1.0× | Do existing controls (rate limits, approvals, alerts) significantly limit the practical risk? If so, payouts may be lowered. |\n\n# Vulnerability Evaluation Process\n**Step 1: Triage** for validity, reproducibility, and scope\n**Step 2: CVSS Baseline** - Apply CVSS where applicable\n**Step 3: Business Risk Evaluation **\n**Step 4: Quality \u0026 Context Modifiers**\n**Final Reward Tier** = Technical Severity + Business Impact + Quality \u0026 Context Modifiers\n\n# Reward Bonuses\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\n# Known issues\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}","{\"platform_standard\":\"THIRD_PARTY_COMPONENTS_FOR_PROGRAMS_CONSUMING_THE_COMPONENT\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-21T06:43:57.358Z"},{"id":3768508,"new_policy":"About OKG:\n==============\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\n# Response Targets\nOKG will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nNote: The classifications below are not exhaustive. If a valid vulnerability does not appear in this list, OKG will assess its severity and bounty eligibility using CVSS v3.1 and internal business impact analysis. This ensures fair and transparent evaluation of novel, creative, or edge-case vulnerabilities that may not be explicitly documented here.\n\n## Web2 Vulnerabilities\nFocus: Issues found on OKG web platforms (e.g., okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKX servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKX’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users\n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- Account Access at Scale: Unauthorised access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorised access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Vulnerabilities\nFocus: Issues found in OKX official mobile apps.\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKX infrastructure.\n- Mass Data Breach: Unauthorised access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking sensitive information stored or processed by the app.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorised transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorised Operations: Performing unauthorised transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorised access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\nFocus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High\n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorised access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\nFocus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.\n\n### Critical\n- Remote exploits on validators/contracts or admin takeovers.\n- Execute code on production infrastructure\n- Steal funds or exfiltrate sensitive data at scale\n- Fully bypass authentication or authorisation protections\n- Affect a majority of users, systems, or business-critical functions\n\n### High\n- Unauthorised access to sensitive user data or funds in limited scope\n- Takeover of accounts with specific user interaction\n- Smart contract exploits with financial impact requiring specific states\n\n### Medium\n- Smart contract bugs that require manual triggering and do not result in loss of funds directly\n- Wallet address manipulation that alters front-end display but not the transaction outcome\n- Replay of previously signed messages that need complex setup\n- Incorrect use of chainID, nonce, or gas calculations that lead to inefficiencies\n- DApp permission misuse that prompts for overbroad approvals, but user must accept\n\n### Low\n- RPC metadata disclosure without sensitive data or elevated access\n- Node instability causing UI refresh or sync delays, not affecting tx execution\n- Minor signature validation errors that cannot bypass permission\n- Smart contract function visibility issues (e.g., public vs external) that don’t affect logic\n- Typos or inaccurate dApp UI rendering not tied to transaction outcome\n\n---\n\n## Additional Guidelines\n- IDOR: Must demonstrate ID discovery path, not brute force only\n- Mobile: Report once per vulnerability across platforms (iOS/Android)\n- Wallet Extensions: Report once per vulnerability across platforms (Chrome/Edge/Safari)\n- Duplicates: Same issue in multiple assets = one report\n- False positives, low business impact, or non-exploitable bugs will not be rewarded but may be acknowledged\n- Compliance related reports will be assessed on a case by case basis\n- All reported vulnerabilities must be manually validated by the researcher in the specific context of our applications\n\n---\n\n## AI Usage \u0026 Disclosure  \n- Researchers must disclose any use of AI tools in vulnerability discovery, testing, or report writing.  \n- Regardless of AI assistance, reports must demonstrate genuine human analysis, understanding, and validation of the vulnerability in our specific context.\n- Reports that are clearly auto-generated, templated, or submitted without meaningful human verification (including unvalidated AI-generated reports) may be closed as Not Applicable or Spam, at OKG’s discretion.\n\n---\n\n## Out of Scope\n- Reports from automated tools or scanners\n- False positive SQL Injection without a working PoC demonstrating DB/user name extraction\n- Spam vulnerabilities, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable libraries/components without a working PoC\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated or low-impact forms\n- Attacks requiring MITM, root/jailbreak, or physical access to a user’s device\n- Previously known vulnerable libraries without a working PoC\n- CSV injection without demonstrating exploitation\n- Missing SSL/TLS best practices (e.g. weak ciphers, protocol versions)\n- Denial of Service (DoS) or service disruption attempts\n- Content spoofing or text injection without HTML/CSS modification or attack vector\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing Content Security Policy best practices\n- Missing HttpOnly or Secure cookie flags\n- Missing or invalid SPF/DKIM/DMARC records\n- Vulnerabilities affecting only outdated/unpatched browsers (older than 2 stable versions)\n- Software version disclosure, banner info, stack traces, or verbose errors\n- Public 0-days with patches released less than 1 month ago (case-by-case)\n- Tabnabbing\n- Vulnerabilities requiring unlikely user interaction\n- Vulnerabilities already known to internal teams\n- Best practice recommendations (e.g. hardening suggestions)\n- WordPress-related vulnerabilities\n- DLL hijacking without demonstrating privilege escalation\n- Rate-limit bypass by simply changing IP address or device ID\n- Address bar, URL, or domain spoofing within mobile in-app browsers (e.g., dApp or WebView-based browsers)\n- Sensitive data exposure on social media\n- Internal domain takeovers outside okx.com, okg.com, or oklink.com\n- Clients (desktop/mobile) not downloaded from official sources in scope\n- Proof of Reserves being reported as “sensitive document” leak\n- Reports based only on static analysis of binaries without PoC affecting business logic\n- Lack of obfuscation, binary protection, or jailbreak/root detection\n- Certificate pinning bypass on rooted/jailbroken devices\n- Missing exploit mitigations (e.g., PIE, ARC, Stack Canaries)\n- Sensitive data in URLs or request bodies when protected by TLS\n- Path disclosure in binaries\n- Hardcoded/recoverable app secrets in IPA/APK without business impact\n- Sensitive data stored in private app directory\n- App crashes from malformed URL schemes or exported components\n- Runtime exploits only possible in a rooted/jailbroken environment (e.g., via Frida)\n- Leaked shared links via clipboard\n- URI leaks caused by malicious apps with permissions\n- Exposure of API keys without demonstrated security impact (e.g., Google Maps API keys or keys found in our public GitHub repositories)\n- Third-party services (unless explicitly allowed)\n- Social engineering, spam, and physical attacks\n- Attacks requiring MITM or root/jailbreak access\n- Services not owned by OKX (e.g., cloud provider vulnerabilities)\n- Mobile/Desktop apps not downloaded from official channels\n- AI-generated vulnerability reports without human validation  \n- Reports that appear to be generated from automated tools or generic templates\n\n# Discretionary “Extreme” Tier Bounties\nWhile our standard reward structure follows CVSS and business impact tiers (Low to Critical), OKX reserves the right to award **Extreme Tier bounties** at our sole discretion.\nExtreme Tier rewards are not tied to a fixed scoring scale. They reflect **extraordinary, edge-case vulnerabilities** with systemic or existential risk to OKX.\n\n**Criteria \u0026 Impact Examples**\n*   Rapid and unauthorised loss of funds \u003e $1 million (Example: exploit drains wallets, bypasses fund protections)\n*   Zero-interaction compromise of multiple wallets, admin systems, or validators\n*   Massive KYC/PII data breach with direct regulatory or reputational impact (Example: exposure of sensitive customer data, financial information)\n*   Systemic risk to platform availability, public trust, or market stability (Example: mass user account takeover, automated abuse of authentication flows)\n\n**Reward Range**\n*   **$90,000 up to $1,000,000+**, depending on severity, exploitability, and impact.\n*   Evaluated case-by-case using OKX’s internal incident response process.\n\n**Additional Considerations**\n*   Researcher reward decisions also take into account **technical complexity**, **speed of reporting**, **integrity**, and **responsible disclosure practices**.\n\n# Business Risk Scoring Guide\nNote: To ensure fairness when evaluating vulnerabilities that do not directly affect funds, OKX uses a weighted business impact model that considers Fund Impact, Reputation Risk, and Compliance Risk. Business-risk multipliers adjust placement within the payout range of the assigned severity band; they do not move a report to another band.\n\n### Web2\n\n| Context / Surface                                              | Multiplier |\n|---------------------------------------------------------------|------------|\n| Static unauthenticated pages (marketing, FAQ, terms)           | 1.0×   |\n| Login/register/reset flows with minor issues (open redirect)   | 1.1×  |\n| Authenticated user dashboard (no sensitive data)               | 1.2×       |\n| Authenticated page with PII, order history, personal data      | 1.3×       |\n| Session compromise (stealing cookies/JWTs)                     | 1.3×       |\n| Authenticated page handling account/fund actions (withdrawal, API, trading) | 1.4× |\n| Admin panel or internal tool with sensitive operations | 1.5× |\n\n### Web3\n\n| Context / Surface                                                                  | Multiplier |\n|-----------------------------------------------------------------------------------|------------|\n| Wallet connect / signature request with no security impact                         | 1.0×       |\n| dApp UI with reflected input but no transaction risk                               | 1.1×       |\n| dApp (wallet-connected) leaking balances or transaction history                    | 1.2×       |\n| dApp allowing spoofed signature prompts / phishing-style UX                        | 1.3×       |\n| Smart contract dashboards (staking, governance, etc.) with sensitive UI actions    | 1.4×       |\n| XSS leading to wallet signature hijack / transaction injection                     | 1.5×       |\n\n### Mobile\n\n| Context / Surface                                                           | Multiplier |\n|-----------------------------------------------------------------------------|------------|\n| UI issues, clipboard access without sensitive data                          | 1.0×       |\n| Exposure of non-sensitive info (OS version, device model)                   | 1.1×       |\n| Authenticated views with general account data                               | 1.2×       |\n| Sensitive data exposed via logging, screenshots, or memory                  | 1.3×       |\n| WebView issues affecting auth/transaction flow or phishing                  | 1.4×       |\n| Authenticated views with fund transfer, session token, or private key exposure | 1.5×    |\n\n### Desktop\n\n| Context / Surface                                                               | Multiplier |\n|--------------------------------------------------------------------------------|------------|\n| UI bugs, crash reports, logs without sensitive data                            | 1.0×       |\n| DLL hijack with proven privilege escalation path                               | 1.1×       |\n| Authenticated interface with exchange or trading functions                     | 1.2×       |\n| Sensitive data exposed (session tokens, keys)                                  | 1.3×       |\n| Full compromise via desktop client (token theft + bypassing protections)       | 1.4×       |\n\n# Quality \u0026 Context Modifiers\n\n### Additional Factors\n\n| Factor                | Range\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; | Description                                                                 |\n|------------------------|----------------|-----------------------------------------------------------------------------|\n| Exploit Reliability    | 0.5–1.0×  | Is the issue consistently reproducible? Reports that are unstable or device-specific may receive lower payouts. |\n| User interaction       | 0.5–1.0×  | How many steps must a victim take? Exploits requiring multiple clicks, context switches, or unusual actions may reduce payout. |\n| Exposure / coverage    | 0.3–1.0× | Does the issue affect most users, or only a very narrow cohort or edge case? Broader impact tends toward higher payouts within the band. |\n| Mitigation proximity   | 0.5–1.0× | Do existing controls (rate limits, approvals, alerts) significantly limit the practical risk? If so, payouts may be lowered. |\n\n# Vulnerability Evaluation Process\n**Step 1: Triage** for validity, reproducibility, and scope\n**Step 2: CVSS Baseline** - Apply CVSS where applicable\n**Step 3: Business Risk Evaluation **\n**Step 4: Quality \u0026 Context Modifiers**\n**Final Reward Tier** = Technical Severity + Business Impact + Quality \u0026 Context Modifiers\n\n# Reward Bonuses\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\n# Known issues\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}","{\"platform_standard\":\"THIRD_PARTY_COMPONENTS_FOR_PROGRAMS_CONSUMING_THE_COMPONENT\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-20T09:26:46.691Z"},{"id":3768505,"new_policy":"About OKG:\n==============\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\n# Response Targets\nOKG will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nNote: The classifications below are not exhaustive. If a valid vulnerability does not appear in this list, OKG will assess its severity and bounty eligibility using CVSS v3.1 and internal business impact analysis. This ensures fair and transparent evaluation of novel, creative, or edge-case vulnerabilities that may not be explicitly documented here.\n\n## Web2 Vulnerabilities\nFocus: Issues found on OKG web platforms (e.g., okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKX servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKX’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users\n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- Account Access at Scale: Unauthorised access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorised access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Vulnerabilities\nFocus: Issues found in OKX official mobile apps.\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKX infrastructure.\n- Mass Data Breach: Unauthorised access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking sensitive information stored or processed by the app.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorised transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorised Operations: Performing unauthorised transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorised access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\nFocus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High\n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorised access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\nFocus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.\n\n### Critical\n- Remote exploits on validators/contracts or admin takeovers.\n- Execute code on production infrastructure\n- Steal funds or exfiltrate sensitive data at scale\n- Fully bypass authentication or authorisation protections\n- Affect a majority of users, systems, or business-critical functions\n\n### High\n- Unauthorised access to sensitive user data or funds in limited scope\n- Takeover of accounts with specific user interaction\n- Smart contract exploits with financial impact requiring specific states\n\n### Medium\n- Smart contract bugs that require manual triggering and do not result in loss of funds directly\n- Wallet address manipulation that alters front-end display but not the transaction outcome\n- Replay of previously signed messages that need complex setup\n- Incorrect use of chainID, nonce, or gas calculations that lead to inefficiencies\n- DApp permission misuse that prompts for overbroad approvals, but user must accept\n\n### Low\n- RPC metadata disclosure without sensitive data or elevated access\n- Node instability causing UI refresh or sync delays, not affecting tx execution\n- Minor signature validation errors that cannot bypass permission\n- Smart contract function visibility issues (e.g., public vs external) that don’t affect logic\n- Typos or inaccurate dApp UI rendering not tied to transaction outcome\n\n---\n\n## Additional Guidelines\n- IDOR: Must demonstrate ID discovery path, not brute force only\n- Mobile: Report once per vulnerability across platforms (iOS/Android)\n- Wallet Extensions: Report once per vulnerability across platforms (Chrome/Edge/Safari)\n- Duplicates: Same issue in multiple assets = one report\n- False positives, low business impact, or non-exploitable bugs will not be rewarded but may be acknowledged\n- Compliance related reports will be assessed on a case by case basis\n- All reported vulnerabilities must be manually validated by the researcher in the specific context of our applications\n\n---\n\n## AI disclosure  \n- Researchers must disclose any use of AI tools in vulnerability discovery, testing, or report writing.  \n- Regardless of AI assistance, reports must demonstrate genuine human analysis, understanding, and validation of the vulnerability in our specific context.\n- Reports that are clearly auto-generated, templated, or submitted without meaningful human verification (including unvalidated AI-generated reports) may be closed as Not Applicable or Spam, at OKG’s discretion.\n\n---\n\n## Out of Scope\n- Reports from automated tools or scanners\n- False positive SQL Injection without a working PoC demonstrating DB/user name extraction\n- Spam vulnerabilities, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable libraries/components without a working PoC\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated or low-impact forms\n- Attacks requiring MITM, root/jailbreak, or physical access to a user’s device\n- Previously known vulnerable libraries without a working PoC\n- CSV injection without demonstrating exploitation\n- Missing SSL/TLS best practices (e.g. weak ciphers, protocol versions)\n- Denial of Service (DoS) or service disruption attempts\n- Content spoofing or text injection without HTML/CSS modification or attack vector\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing Content Security Policy best practices\n- Missing HttpOnly or Secure cookie flags\n- Missing or invalid SPF/DKIM/DMARC records\n- Vulnerabilities affecting only outdated/unpatched browsers (older than 2 stable versions)\n- Software version disclosure, banner info, stack traces, or verbose errors\n- Public 0-days with patches released less than 1 month ago (case-by-case)\n- Tabnabbing\n- Vulnerabilities requiring unlikely user interaction\n- Vulnerabilities already known to internal teams\n- Best practice recommendations (e.g. hardening suggestions)\n- WordPress-related vulnerabilities\n- DLL hijacking without demonstrating privilege escalation\n- Rate-limit bypass by simply changing IP address or device ID\n- Address bar, URL, or domain spoofing within mobile in-app browsers (e.g., dApp or WebView-based browsers)\n- Sensitive data exposure on social media\n- Internal domain takeovers outside okx.com, okg.com, or oklink.com\n- Clients (desktop/mobile) not downloaded from official sources in scope\n- Proof of Reserves being reported as “sensitive document” leak\n- Reports based only on static analysis of binaries without PoC affecting business logic\n- Lack of obfuscation, binary protection, or jailbreak/root detection\n- Certificate pinning bypass on rooted/jailbroken devices\n- Missing exploit mitigations (e.g., PIE, ARC, Stack Canaries)\n- Sensitive data in URLs or request bodies when protected by TLS\n- Path disclosure in binaries\n- Hardcoded/recoverable app secrets in IPA/APK without business impact\n- Sensitive data stored in private app directory\n- App crashes from malformed URL schemes or exported components\n- Runtime exploits only possible in a rooted/jailbroken environment (e.g., via Frida)\n- Leaked shared links via clipboard\n- URI leaks caused by malicious apps with permissions\n- Exposure of API keys without demonstrated security impact (e.g., Google Maps API keys or keys found in our public GitHub repositories)\n- Third-party services (unless explicitly allowed)\n- Social engineering, spam, and physical attacks\n- Attacks requiring MITM or root/jailbreak access\n- Services not owned by OKX (e.g., cloud provider vulnerabilities)\n- Mobile/Desktop apps not downloaded from official channels\n- AI-generated vulnerability reports without human validation  \n- Reports that appear to be generated from automated tools or generic templates\n\n# Discretionary “Extreme” Tier Bounties\nWhile our standard reward structure follows CVSS and business impact tiers (Low to Critical), OKX reserves the right to award **Extreme Tier bounties** at our sole discretion.\nExtreme Tier rewards are not tied to a fixed scoring scale. They reflect **extraordinary, edge-case vulnerabilities** with systemic or existential risk to OKX.\n\n**Criteria \u0026 Impact Examples**\n*   Rapid and unauthorised loss of funds \u003e $1 million (Example: exploit drains wallets, bypasses fund protections)\n*   Zero-interaction compromise of multiple wallets, admin systems, or validators\n*   Massive KYC/PII data breach with direct regulatory or reputational impact (Example: exposure of sensitive customer data, financial information)\n*   Systemic risk to platform availability, public trust, or market stability (Example: mass user account takeover, automated abuse of authentication flows)\n\n**Reward Range**\n*   **$90,000 up to $1,000,000+**, depending on severity, exploitability, and impact.\n*   Evaluated case-by-case using OKX’s internal incident response process.\n\n**Additional Considerations**\n*   Researcher reward decisions also take into account **technical complexity**, **speed of reporting**, **integrity**, and **responsible disclosure practices**.\n\n# Business Risk Scoring Guide\nNote: To ensure fairness when evaluating vulnerabilities that do not directly affect funds, OKX uses a weighted business impact model that considers Fund Impact, Reputation Risk, and Compliance Risk. Business-risk multipliers adjust placement within the payout range of the assigned severity band; they do not move a report to another band.\n\n### Web2\n\n| Context / Surface                                              | Multiplier |\n|---------------------------------------------------------------|------------|\n| Static unauthenticated pages (marketing, FAQ, terms)           | 1.0×   |\n| Login/register/reset flows with minor issues (open redirect)   | 1.1×  |\n| Authenticated user dashboard (no sensitive data)               | 1.2×       |\n| Authenticated page with PII, order history, personal data      | 1.3×       |\n| Session compromise (stealing cookies/JWTs)                     | 1.3×       |\n| Authenticated page handling account/fund actions (withdrawal, API, trading) | 1.4× |\n| Admin panel or internal tool with sensitive operations | 1.5× |\n\n### Web3\n\n| Context / Surface                                                                  | Multiplier |\n|-----------------------------------------------------------------------------------|------------|\n| Wallet connect / signature request with no security impact                         | 1.0×       |\n| dApp UI with reflected input but no transaction risk                               | 1.1×       |\n| dApp (wallet-connected) leaking balances or transaction history                    | 1.2×       |\n| dApp allowing spoofed signature prompts / phishing-style UX                        | 1.3×       |\n| Smart contract dashboards (staking, governance, etc.) with sensitive UI actions    | 1.4×       |\n| XSS leading to wallet signature hijack / transaction injection                     | 1.5×       |\n\n### Mobile\n\n| Context / Surface                                                           | Multiplier |\n|-----------------------------------------------------------------------------|------------|\n| UI issues, clipboard access without sensitive data                          | 1.0×       |\n| Exposure of non-sensitive info (OS version, device model)                   | 1.1×       |\n| Authenticated views with general account data                               | 1.2×       |\n| Sensitive data exposed via logging, screenshots, or memory                  | 1.3×       |\n| WebView issues affecting auth/transaction flow or phishing                  | 1.4×       |\n| Authenticated views with fund transfer, session token, or private key exposure | 1.5×    |\n\n### Desktop\n\n| Context / Surface                                                               | Multiplier |\n|--------------------------------------------------------------------------------|------------|\n| UI bugs, crash reports, logs without sensitive data                            | 1.0×       |\n| DLL hijack with proven privilege escalation path                               | 1.1×       |\n| Authenticated interface with exchange or trading functions                     | 1.2×       |\n| Sensitive data exposed (session tokens, keys)                                  | 1.3×       |\n| Full compromise via desktop client (token theft + bypassing protections)       | 1.4×       |\n\n# Quality \u0026 Context Modifiers\n\n### Additional Factors\n\n| Factor                | Range\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; | Description                                                                 |\n|------------------------|----------------|-----------------------------------------------------------------------------|\n| Exploit Reliability    | 0.5–1.0×  | Is the issue consistently reproducible? Reports that are unstable or device-specific may receive lower payouts. |\n| User interaction       | 0.5–1.0×  | How many steps must a victim take? Exploits requiring multiple clicks, context switches, or unusual actions may reduce payout. |\n| Exposure / coverage    | 0.3–1.0× | Does the issue affect most users, or only a very narrow cohort or edge case? Broader impact tends toward higher payouts within the band. |\n| Mitigation proximity   | 0.5–1.0× | Do existing controls (rate limits, approvals, alerts) significantly limit the practical risk? If so, payouts may be lowered. |\n\n# Vulnerability Evaluation Process\n**Step 1: Triage** for validity, reproducibility, and scope\n**Step 2: CVSS Baseline** - Apply CVSS where applicable\n**Step 3: Business Risk Evaluation **\n**Step 4: Quality \u0026 Context Modifiers**\n**Final Reward Tier** = Technical Severity + Business Impact + Quality \u0026 Context Modifiers\n\n# Reward Bonuses\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\n# Known issues\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}","{\"platform_standard\":\"THIRD_PARTY_COMPONENTS_FOR_PROGRAMS_CONSUMING_THE_COMPONENT\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-20T09:22:24.918Z"},{"id":3764879,"new_policy":"About OKG:\n==============\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\n# Response Targets\nOKG will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nNote: The classifications below are not exhaustive. If a valid vulnerability does not appear in this list, OKG will assess its severity and bounty eligibility using CVSS v3.1 and internal business impact analysis. This ensures fair and transparent evaluation of novel, creative, or edge-case vulnerabilities that may not be explicitly documented here.\n\n## Web2 Vulnerabilities\nFocus: Issues found on OKG web platforms (e.g., okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKX servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKX’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users\n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- Account Access at Scale: Unauthorised access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorised access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Vulnerabilities\nFocus: Issues found in OKX official mobile apps.\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKX infrastructure.\n- Mass Data Breach: Unauthorised access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking sensitive information stored or processed by the app.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorised transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorised Operations: Performing unauthorised transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorised access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\nFocus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High\n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorised access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\nFocus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.\n\n### Critical\n- Remote exploits on validators/contracts or admin takeovers.\n- Execute code on production infrastructure\n- Steal funds or exfiltrate sensitive data at scale\n- Fully bypass authentication or authorisation protections\n- Affect a majority of users, systems, or business-critical functions\n\n### High\n- Unauthorised access to sensitive user data or funds in limited scope\n- Takeover of accounts with specific user interaction\n- Smart contract exploits with financial impact requiring specific states\n\n### Medium\n- Smart contract bugs that require manual triggering and do not result in loss of funds directly\n- Wallet address manipulation that alters front-end display but not the transaction outcome\n- Replay of previously signed messages that need complex setup\n- Incorrect use of chainID, nonce, or gas calculations that lead to inefficiencies\n- DApp permission misuse that prompts for overbroad approvals, but user must accept\n\n### Low\n- RPC metadata disclosure without sensitive data or elevated access\n- Node instability causing UI refresh or sync delays, not affecting tx execution\n- Minor signature validation errors that cannot bypass permission\n- Smart contract function visibility issues (e.g., public vs external) that don’t affect logic\n- Typos or inaccurate dApp UI rendering not tied to transaction outcome\n\n---\n## Additional Guidelines\n- IDOR: Must demonstrate ID discovery path, not brute force only\n- Mobile: Report once per vulnerability across platforms (iOS/Android)\n- Wallet Extensions: Report once per vulnerability across platforms (Chrome/Edge/Safari)\n- Duplicates: Same issue in multiple assets = one report\n- False positives, low business impact, or non-exploitable bugs will not be rewarded but may be acknowledged\n- Compliance related reports will be assessed on a case by case basis\n---\n\n## Out of Scope\n- Reports from automated tools or scanners\n- False positive SQL Injection without a working PoC demonstrating DB/user name extraction\n- Spam vulnerabilities, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable libraries/components without a working PoC\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated or low-impact forms\n- Attacks requiring MITM, root/jailbreak, or physical access to a user’s device\n- Previously known vulnerable libraries without a working PoC\n- CSV injection without demonstrating exploitation\n- Missing SSL/TLS best practices (e.g. weak ciphers, protocol versions)\n- Denial of Service (DoS) or service disruption attempts\n- Content spoofing or text injection without HTML/CSS modification or attack vector\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing Content Security Policy best practices\n- Missing HttpOnly or Secure cookie flags\n- Missing or invalid SPF/DKIM/DMARC records\n- Vulnerabilities affecting only outdated/unpatched browsers (older than 2 stable versions)\n- Software version disclosure, banner info, stack traces, or verbose errors\n- Public 0-days with patches released less than 1 month ago (case-by-case)\n- Tabnabbing\n- Vulnerabilities requiring unlikely user interaction\n- Vulnerabilities already known to internal teams\n- Best practice recommendations (e.g. hardening suggestions)\n- WordPress-related vulnerabilities\n- DLL hijacking without demonstrating privilege escalation\n- Rate-limit bypass by simply changing IP address or device ID\n- Address bar, URL, or domain spoofing within mobile in-app browsers (e.g., dApp or WebView-based browsers)\n- Sensitive data exposure on social media\n- Internal domain takeovers outside okx.com, okg.com, or oklink.com\n- Clients (desktop/mobile) not downloaded from official sources in scope\n- Proof of Reserves being reported as “sensitive document” leak\n- Reports based only on static analysis of binaries without PoC affecting business logic\n- Lack of obfuscation, binary protection, or jailbreak/root detection\n- Certificate pinning bypass on rooted/jailbroken devices\n- Missing exploit mitigations (e.g., PIE, ARC, Stack Canaries)\n- Sensitive data in URLs or request bodies when protected by TLS\n- Path disclosure in binaries\n- Hardcoded/recoverable app secrets in IPA/APK without business impact\n- Sensitive data stored in private app directory\n- App crashes from malformed URL schemes or exported components\n- Runtime exploits only possible in a rooted/jailbroken environment (e.g., via Frida)\n- Leaked shared links via clipboard\n- URI leaks caused by malicious apps with permissions\n- Exposure of API keys without demonstrated security impact (e.g., Google Maps API keys or keys found in our public GitHub repositories)\n- Third-party services (unless explicitly allowed)\n- Social engineering, spam, and physical attacks\n- Attacks requiring MITM or root/jailbreak access\n- Services not owned by OKX (e.g., cloud provider vulnerabilities)\n- Mobile/Desktop apps not downloaded from official channels\n\n# Discretionary “Extreme” Tier Bounties\nWhile our standard reward structure follows CVSS and business impact tiers (Low to Critical), OKX reserves the right to award **Extreme Tier bounties** at our sole discretion.\nExtreme Tier rewards are not tied to a fixed scoring scale. They reflect **extraordinary, edge-case vulnerabilities** with systemic or existential risk to OKX.\n\n**Criteria \u0026 Impact Examples**\n*   Rapid and unauthorised loss of funds \u003e $1 million (Example: exploit drains wallets, bypasses fund protections)\n*   Zero-interaction compromise of multiple wallets, admin systems, or validators\n*   Massive KYC/PII data breach with direct regulatory or reputational impact (Example: exposure of sensitive customer data, financial information)\n*   Systemic risk to platform availability, public trust, or market stability (Example: mass user account takeover, automated abuse of authentication flows)\n\n**Reward Range**\n*   **$90,000 up to $1,000,000+**, depending on severity, exploitability, and impact.\n*   Evaluated case-by-case using OKX’s internal incident response process.\n\n**Additional Considerations**\n*   Researcher reward decisions also take into account **technical complexity**, **speed of reporting**, **integrity**, and **responsible disclosure practices**.\n\n# Business Risk Scoring Guide\nNote: To ensure fairness when evaluating vulnerabilities that do not directly affect funds, OKX uses a weighted business impact model that considers Fund Impact, Reputation Risk, and Compliance Risk. Business-risk multipliers adjust placement within the payout range of the assigned severity band; they do not move a report to another band.\n\n### Web2\n\n| Context / Surface                                              | Multiplier |\n|---------------------------------------------------------------|------------|\n| Static unauthenticated pages (marketing, FAQ, terms)           | 1.0×   |\n| Login/register/reset flows with minor issues (open redirect)   | 1.1×  |\n| Authenticated user dashboard (no sensitive data)               | 1.2×       |\n| Authenticated page with PII, order history, personal data      | 1.3×       |\n| Session compromise (stealing cookies/JWTs)                     | 1.3×       |\n| Authenticated page handling account/fund actions (withdrawal, API, trading) | 1.4× |\n| Admin panel or internal tool with sensitive operations | 1.5× |\n\n### Web3\n\n| Context / Surface                                                                  | Multiplier |\n|-----------------------------------------------------------------------------------|------------|\n| Wallet connect / signature request with no security impact                         | 1.0×       |\n| dApp UI with reflected input but no transaction risk                               | 1.1×       |\n| dApp (wallet-connected) leaking balances or transaction history                    | 1.2×       |\n| dApp allowing spoofed signature prompts / phishing-style UX                        | 1.3×       |\n| Smart contract dashboards (staking, governance, etc.) with sensitive UI actions    | 1.4×       |\n| XSS leading to wallet signature hijack / transaction injection                     | 1.5×       |\n\n### Mobile\n\n| Context / Surface                                                           | Multiplier |\n|-----------------------------------------------------------------------------|------------|\n| UI issues, clipboard access without sensitive data                          | 1.0×       |\n| Exposure of non-sensitive info (OS version, device model)                   | 1.1×       |\n| Authenticated views with general account data                               | 1.2×       |\n| Sensitive data exposed via logging, screenshots, or memory                  | 1.3×       |\n| WebView issues affecting auth/transaction flow or phishing                  | 1.4×       |\n| Authenticated views with fund transfer, session token, or private key exposure | 1.5×    |\n\n### Desktop\n\n| Context / Surface                                                               | Multiplier |\n|--------------------------------------------------------------------------------|------------|\n| UI bugs, crash reports, logs without sensitive data                            | 1.0×       |\n| DLL hijack with proven privilege escalation path                               | 1.1×       |\n| Authenticated interface with exchange or trading functions                     | 1.2×       |\n| Sensitive data exposed (session tokens, keys)                                  | 1.3×       |\n| Full compromise via desktop client (token theft + bypassing protections)       | 1.4×       |\n\n#Quality \u0026 Context Modifiers\n\n### Additional Factors\n\n| Factor                | Range\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; | Description                                                                 |\n|------------------------|----------------|-----------------------------------------------------------------------------|\n| Exploit Reliability    | 0.5–1.0×  | Is the issue consistently reproducible? Reports that are unstable or device-specific may receive lower payouts. |\n| User interaction       | 0.5–1.0×  | How many steps must a victim take? Exploits requiring multiple clicks, context switches, or unusual actions may reduce payout. |\n| Exposure / coverage    | 0.3–1.0× | Does the issue affect most users, or only a very narrow cohort or edge case? Broader impact tends toward higher payouts within the band. |\n| Mitigation proximity   | 0.5–1.0× | Do existing controls (rate limits, approvals, alerts) significantly limit the practical risk? If so, payouts may be lowered. |\n\n# Vulnerability Evaluation Process\n**Step 1: Triage** for validity, reproducibility, and scope\n**Step 2: CVSS Baseline** - Apply CVSS where applicable\n**Step 3: Business Risk Evaluation **\n**Step 4: Quality \u0026 Context Modifiers**\n**Final Reward Tier** = Technical Severity + Business Impact + Quality \u0026 Context Modifiers\n\n# Reward Bonuses\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\n# Known issues\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}","{\"platform_standard\":\"THIRD_PARTY_COMPONENTS_FOR_PROGRAMS_CONSUMING_THE_COMPONENT\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-21T02:52:52.853Z"},{"id":3764702,"new_policy":"About OKG:\n==============\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\n# Response Targets\nOKG will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nNote: The classifications below are not exhaustive. If a valid vulnerability does not appear in this list, OKG will assess its severity and bounty eligibility using CVSS v3.1 and internal business impact analysis. This ensures fair and transparent evaluation of novel, creative, or edge-case vulnerabilities that may not be explicitly documented here.\n\n## Web2 Vulnerabilities\nFocus: Issues found on OKG web platforms (e.g., okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKX servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKX’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users\n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- Account Access at Scale: Unauthorised access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorised access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Vulnerabilities\nFocus: Issues found in OKX official mobile apps.\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKX infrastructure.\n- Mass Data Breach: Unauthorised access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking sensitive information stored or processed by the app.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorised transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorised Operations: Performing unauthorised transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorised access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\nFocus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High\n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorised access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\nFocus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.\n\n### Critical\n- Remote exploits on validators/contracts or admin takeovers.\n- Execute code on production infrastructure\n- Steal funds or exfiltrate sensitive data at scale\n- Fully bypass authentication or authorisation protections\n- Affect a majority of users, systems, or business-critical functions\n\n### High\n- Unauthorised access to sensitive user data or funds in limited scope\n- Takeover of accounts with specific user interaction\n- Smart contract exploits with financial impact requiring specific states\n\n### Medium\n- Smart contract bugs that require manual triggering and do not result in loss of funds directly\n- Wallet address manipulation that alters front-end display but not the transaction outcome\n- Replay of previously signed messages that need complex setup\n- Incorrect use of chainID, nonce, or gas calculations that lead to inefficiencies\n- DApp permission misuse that prompts for overbroad approvals, but user must accept\n\n### Low\n- RPC metadata disclosure without sensitive data or elevated access\n- Node instability causing UI refresh or sync delays, not affecting tx execution\n- Minor signature validation errors that cannot bypass permission\n- Smart contract function visibility issues (e.g., public vs external) that don’t affect logic\n- Typos or inaccurate dApp UI rendering not tied to transaction outcome\n\n---\n## Additional Guidelines\n- IDOR: Must demonstrate ID discovery path, not brute force only\n- Mobile: Report once per vulnerability across platforms (iOS/Android)\n- Wallet Extensions: Report once per vulnerability across platforms (Chrome/Edge/Safari)\n- Duplicates: Same issue in multiple assets = one report\n- False positives, low business impact, or non-exploitable bugs will not be rewarded but may be acknowledged\n\n---\n\n## Out of Scope\n- Reports from automated tools or scanners\n- False positive SQL Injection without a working PoC demonstrating DB/user name extraction\n- Spam vulnerabilities, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable libraries/components without a working PoC\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated or low-impact forms\n- Attacks requiring MITM, root/jailbreak, or physical access to a user’s device\n- Previously known vulnerable libraries without a working PoC\n- CSV injection without demonstrating exploitation\n- Missing SSL/TLS best practices (e.g. weak ciphers, protocol versions)\n- Denial of Service (DoS) or service disruption attempts\n- Content spoofing or text injection without HTML/CSS modification or attack vector\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing Content Security Policy best practices\n- Missing HttpOnly or Secure cookie flags\n- Missing or invalid SPF/DKIM/DMARC records\n- Vulnerabilities affecting only outdated/unpatched browsers (older than 2 stable versions)\n- Software version disclosure, banner info, stack traces, or verbose errors\n- Public 0-days with patches released less than 1 month ago (case-by-case)\n- Tabnabbing\n- Vulnerabilities requiring unlikely user interaction\n- Vulnerabilities already known to internal teams\n- Best practice recommendations (e.g. hardening suggestions)\n- WordPress-related vulnerabilities\n- DLL hijacking without demonstrating privilege escalation\n- Rate-limit bypass by simply changing IP address or device ID\n- Address bar, URL, or domain spoofing within mobile in-app browsers (e.g., dApp or WebView-based browsers)\n- Sensitive data exposure on social media\n- Internal domain takeovers outside okx.com, okg.com, or oklink.com\n- Clients (desktop/mobile) not downloaded from official sources in scope\n- Proof of Reserves being reported as “sensitive document” leak\n- Reports based only on static analysis of binaries without PoC affecting business logic\n- Lack of obfuscation, binary protection, or jailbreak/root detection\n- Certificate pinning bypass on rooted/jailbroken devices\n- Missing exploit mitigations (e.g., PIE, ARC, Stack Canaries)\n- Sensitive data in URLs or request bodies when protected by TLS\n- Path disclosure in binaries\n- Hardcoded/recoverable app secrets in IPA/APK without business impact\n- Sensitive data stored in private app directory\n- App crashes from malformed URL schemes or exported components\n- Runtime exploits only possible in a rooted/jailbroken environment (e.g., via Frida)\n- Leaked shared links via clipboard\n- URI leaks caused by malicious apps with permissions\n- Exposure of API keys without demonstrated security impact (e.g., Google Maps API keys or keys found in our public GitHub repositories)\n- Third-party services (unless explicitly allowed)\n- Social engineering, spam, and physical attacks\n- Attacks requiring MITM or root/jailbreak access\n- Services not owned by OKX (e.g., cloud provider vulnerabilities)\n- Mobile/Desktop apps not downloaded from official channels\n\n# Discretionary “Extreme” Tier Bounties\nWhile our standard reward structure follows CVSS and business impact tiers (Low to Critical), OKX reserves the right to award **Extreme Tier bounties** at our sole discretion.\nExtreme Tier rewards are not tied to a fixed scoring scale. They reflect **extraordinary, edge-case vulnerabilities** with systemic or existential risk to OKX.\n\n**Criteria \u0026 Impact Examples**\n*   Rapid and unauthorised loss of funds \u003e $1 million (Example: exploit drains wallets, bypasses fund protections)\n*   Zero-interaction compromise of multiple wallets, admin systems, or validators\n*   Massive KYC/PII data breach with direct regulatory or reputational impact (Example: exposure of sensitive customer data, financial information)\n*   Systemic risk to platform availability, public trust, or market stability (Example: mass user account takeover, automated abuse of authentication flows)\n\n**Reward Range**\n*   **$90,000 up to $1,000,000+**, depending on severity, exploitability, and impact.\n*   Evaluated case-by-case using OKX’s internal incident response process.\n\n**Additional Considerations**\n*   Researcher reward decisions also take into account **technical complexity**, **speed of reporting**, **integrity**, and **responsible disclosure practices**.\n\n# Business Risk Scoring Guide\nNote: To ensure fairness when evaluating vulnerabilities that do not directly affect funds, OKX uses a weighted business impact model that considers Fund Impact, Reputation Risk, and Compliance Risk. Business-risk multipliers adjust placement within the payout range of the assigned severity band; they do not move a report to another band.\n\n### Web2\n\n| Context / Surface                                              | Multiplier |\n|---------------------------------------------------------------|------------|\n| Static unauthenticated pages (marketing, FAQ, terms)           | 1.0×   |\n| Login/register/reset flows with minor issues (open redirect)   | 1.1×  |\n| Authenticated user dashboard (no sensitive data)               | 1.2×       |\n| Authenticated page with PII, order history, personal data      | 1.3×       |\n| Session compromise (stealing cookies/JWTs)                     | 1.3×       |\n| Authenticated page handling account/fund actions (withdrawal, API, trading) | 1.4× |\n| Admin panel or internal tool with sensitive operations | 1.5× |\n\n### Web3\n\n| Context / Surface                                                                  | Multiplier |\n|-----------------------------------------------------------------------------------|------------|\n| Wallet connect / signature request with no security impact                         | 1.0×       |\n| dApp UI with reflected input but no transaction risk                               | 1.1×       |\n| dApp (wallet-connected) leaking balances or transaction history                    | 1.2×       |\n| dApp allowing spoofed signature prompts / phishing-style UX                        | 1.3×       |\n| Smart contract dashboards (staking, governance, etc.) with sensitive UI actions    | 1.4×       |\n| XSS leading to wallet signature hijack / transaction injection                     | 1.5×       |\n\n### Mobile\n\n| Context / Surface                                                           | Multiplier |\n|-----------------------------------------------------------------------------|------------|\n| UI issues, clipboard access without sensitive data                          | 1.0×       |\n| Exposure of non-sensitive info (OS version, device model)                   | 1.1×       |\n| Authenticated views with general account data                               | 1.2×       |\n| Sensitive data exposed via logging, screenshots, or memory                  | 1.3×       |\n| WebView issues affecting auth/transaction flow or phishing                  | 1.4×       |\n| Authenticated views with fund transfer, session token, or private key exposure | 1.5×    |\n\n### Desktop\n\n| Context / Surface                                                               | Multiplier |\n|--------------------------------------------------------------------------------|------------|\n| UI bugs, crash reports, logs without sensitive data                            | 1.0×       |\n| DLL hijack with proven privilege escalation path                               | 1.1×       |\n| Authenticated interface with exchange or trading functions                     | 1.2×       |\n| Sensitive data exposed (session tokens, keys)                                  | 1.3×       |\n| Full compromise via desktop client (token theft + bypassing protections)       | 1.4×       |\n\n#Quality \u0026 Context Modifiers\n\n### Additional Factors\n\n| Factor                | Range\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; | Description                                                                 |\n|------------------------|----------------|-----------------------------------------------------------------------------|\n| Exploit Reliability    | 0.5–1.0×  | Is the issue consistently reproducible? Reports that are unstable or device-specific may receive lower payouts. |\n| User interaction       | 0.5–1.0×  | How many steps must a victim take? Exploits requiring multiple clicks, context switches, or unusual actions may reduce payout. |\n| Exposure / coverage    | 0.3–1.0× | Does the issue affect most users, or only a very narrow cohort or edge case? Broader impact tends toward higher payouts within the band. |\n| Mitigation proximity   | 0.5–1.0× | Do existing controls (rate limits, approvals, alerts) significantly limit the practical risk? If so, payouts may be lowered. |\n\n# Vulnerability Evaluation Process\n**Step 1: Triage** for validity, reproducibility, and scope\n**Step 2: CVSS Baseline** - Apply CVSS where applicable\n**Step 3: Business Risk Evaluation **\n**Step 4: Quality \u0026 Context Modifiers**\n**Final Reward Tier** = Technical Severity + Business Impact + Quality \u0026 Context Modifiers\n\n# Reward Bonuses\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\n# Known issues\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}","{\"platform_standard\":\"THIRD_PARTY_COMPONENTS_FOR_PROGRAMS_CONSUMING_THE_COMPONENT\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-16T02:34:33.819Z"},{"id":3764562,"new_policy":"About OKG:\n==============\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\n# Response Targets\nOKG will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nNote: The classifications below are not exhaustive. If a valid vulnerability does not appear in this list, OKG will assess its severity and bounty eligibility using CVSS v3.1 and internal business impact analysis. This ensures fair and transparent evaluation of novel, creative, or edge-case vulnerabilities that may not be explicitly documented here.\n\n## Web2 Vulnerabilities\nFocus: Issues found on OKG web platforms (e.g., okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKX servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKX’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users\n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- Account Access at Scale: Unauthorised access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorised access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Vulnerabilities\nFocus: Issues found in OKX official mobile apps.\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKX infrastructure.\n- Mass Data Breach: Unauthorised access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking sensitive information stored or processed by the app.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorised transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorised Operations: Performing unauthorised transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorised access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\nFocus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High\n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorised access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\nFocus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.\n\n### Critical\n- Remote exploits on validators/contracts or admin takeovers.\n- Execute code on production infrastructure\n- Steal funds or exfiltrate sensitive data at scale\n- Fully bypass authentication or authorisation protections\n- Affect a majority of users, systems, or business-critical functions\n\n### High\n- Unauthorised access to sensitive user data or funds in limited scope\n- Takeover of accounts with specific user interaction\n- Smart contract exploits with financial impact requiring specific states\n\n### Medium\n- Smart contract bugs that require manual triggering and do not result in loss of funds directly\n- Wallet address manipulation that alters front-end display but not the transaction outcome\n- Replay of previously signed messages that need complex setup\n- Incorrect use of chainID, nonce, or gas calculations that lead to inefficiencies\n- DApp permission misuse that prompts for overbroad approvals, but user must accept\n\n### Low\n- RPC metadata disclosure without sensitive data or elevated access\n- Node instability causing UI refresh or sync delays, not affecting tx execution\n- Minor signature validation errors that cannot bypass permission\n- Smart contract function visibility issues (e.g., public vs external) that don’t affect logic\n- Typos or inaccurate dApp UI rendering not tied to transaction outcome\n\n---\n## Additional Guidelines\n- IDOR: Must demonstrate ID discovery path, not brute force only\n- Mobile: Report once per vulnerability across platforms (iOS/Android)\n- Wallet Extensions: Report once per vulnerability across platforms (Chrome/Edge/Safari)\n- Duplicates: Same issue in multiple assets = one report\n- False positives, low business impact, or non-exploitable bugs will not be rewarded but may be acknowledged\n\n---\n\n## Out of Scope\n- Reports from automated tools or scanners\n- False positive SQL Injection without a working PoC demonstrating DB/user name extraction\n- Spam vulnerabilities, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable libraries/components without a working PoC\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated or low-impact forms\n- Attacks requiring MITM, root/jailbreak, or physical access to a user’s device\n- Previously known vulnerable libraries without a working PoC\n- CSV injection without demonstrating exploitation\n- Missing SSL/TLS best practices (e.g. weak ciphers, protocol versions)\n- Denial of Service (DoS) or service disruption attempts\n- Content spoofing or text injection without HTML/CSS modification or attack vector\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing Content Security Policy best practices\n- Missing HttpOnly or Secure cookie flags\n- Missing or invalid SPF/DKIM/DMARC records\n- Vulnerabilities affecting only outdated/unpatched browsers (older than 2 stable versions)\n- Software version disclosure, banner info, stack traces, or verbose errors\n- Public 0-days with patches released less than 1 month ago (case-by-case)\n- Tabnabbing\n- Vulnerabilities requiring unlikely user interaction\n- Vulnerabilities already known to internal teams\n- Best practice recommendations (e.g. hardening suggestions)\n- WordPress-related vulnerabilities\n- DLL hijacking without demonstrating privilege escalation\n- Rate-limit bypass by simply changing IP address or device ID\n- Address bar, URL, or domain spoofing within mobile in-app browsers (e.g., dApp or WebView-based browsers)\n- Sensitive data exposure on social media\n- Internal domain takeovers outside okx.com, okg.com, or oklink.com\n- Clients (desktop/mobile) not downloaded from official sources in scope\n- Proof of Reserves being reported as “sensitive document” leak\n- Reports based only on static analysis of binaries without PoC affecting business logic\n- Lack of obfuscation, binary protection, or jailbreak/root detection\n- Certificate pinning bypass on rooted/jailbroken devices\n- Missing exploit mitigations (e.g., PIE, ARC, Stack Canaries)\n- Sensitive data in URLs or request bodies when protected by TLS\n- Path disclosure in binaries\n- Hardcoded/recoverable app secrets in IPA/APK without business impact\n- Sensitive data stored in private app directory\n- App crashes from malformed URL schemes or exported components\n- Runtime exploits only possible in a rooted/jailbroken environment (e.g., via Frida)\n- Leaked shared links via clipboard\n- URI leaks caused by malicious apps with permissions\n- Exposure of API keys without demonstrated security impact (e.g., Google Maps API keys or keys found in our public GitHub repositories)\n- Third-party services (unless explicitly allowed)\n- Social engineering, spam, and physical attacks\n- Attacks requiring MITM or root/jailbreak access\n- Services not owned by OKX (e.g., cloud provider vulnerabilities)\n- Mobile/Desktop apps not downloaded from official channels\n\n# Discretionary “Extreme” Tier Bounties\nWhile our standard reward structure follows CVSS and business impact tiers (Low to Critical), OKX reserves the right to award **Extreme Tier bounties** at our sole discretion.\nExtreme Tier rewards are not tied to a fixed scoring scale. They reflect **extraordinary, edge-case vulnerabilities** with systemic or existential risk to OKX.\n\n**Criteria \u0026 Impact Examples**\n*   Rapid and unauthorised loss of funds \u003e $1 million (Example: exploit drains wallets, bypasses fund protections)\n*   Zero-interaction compromise of multiple wallets, admin systems, or validators\n*   Massive KYC/PII data breach with direct regulatory or reputational impact (Example: exposure of sensitive customer data, financial information)\n*   Systemic risk to platform availability, public trust, or market stability (Example: mass user account takeover, automated abuse of authentication flows)\n\n**Reward Range**\n*   **$90,000 up to $1,000,000+**, depending on severity, exploitability, and impact.\n*   Evaluated case-by-case using OKX’s internal incident response process.\n\n**Additional Considerations**\n*   Researcher reward decisions also take into account **technical complexity**, **speed of reporting**, **integrity**, and **responsible disclosure practices**.\n\n# Business Risk Scoring Guide\nNote: To ensure fairness when evaluating vulnerabilities that do not directly affect funds, OKX uses a weighted business impact model that considers Fund Impact, Reputation Risk, and Compliance Risk. Business-risk multipliers adjust placement within the payout range of the assigned severity band; they do not move a report to another band.\n\n### Web2\n\n| Context / Surface                                              | Multiplier |\n|---------------------------------------------------------------|------------|\n| Static unauthenticated pages (marketing, FAQ, terms)           | 1.0×   |\n| Login/register/reset flows with minor issues (open redirect)   | 1.1×  |\n| Authenticated user dashboard (no sensitive data)               | 1.2×       |\n| Authenticated page with PII, order history, personal data      | 1.3×       |\n| Session compromise (stealing cookies/JWTs)                     | 1.3×       |\n| Authenticated page handling account/fund actions (withdrawal, API, trading) | 1.4× |\n| Admin panel or internal tool with sensitive operations | 1.5× |\n\n### Web3\n\n| Context / Surface                                                                  | Multiplier |\n|-----------------------------------------------------------------------------------|------------|\n| Wallet connect / signature request with no security impact                         | 1.0×       |\n| dApp UI with reflected input but no transaction risk                               | 1.1×       |\n| dApp (wallet-connected) leaking balances or transaction history                    | 1.2×       |\n| dApp allowing spoofed signature prompts / phishing-style UX                        | 1.3×       |\n| Smart contract dashboards (staking, governance, etc.) with sensitive UI actions    | 1.4×       |\n| XSS leading to wallet signature hijack / transaction injection                     | 1.5×       |\n\n### Mobile\n\n| Context / Surface                                                           | Multiplier |\n|-----------------------------------------------------------------------------|------------|\n| UI issues, clipboard access without sensitive data                          | 1.0×       |\n| Exposure of non-sensitive info (OS version, device model)                   | 1.1×       |\n| Authenticated views with general account data                               | 1.2×       |\n| Sensitive data exposed via logging, screenshots, or memory                  | 1.3×       |\n| WebView issues affecting auth/transaction flow or phishing                  | 1.4×       |\n| Authenticated views with fund transfer, session token, or private key exposure | 1.5×    |\n\n### Desktop\n\n| Context / Surface                                                               | Multiplier |\n|--------------------------------------------------------------------------------|------------|\n| UI bugs, crash reports, logs without sensitive data                            | 1.0×       |\n| DLL hijack with proven privilege escalation path                               | 1.1×       |\n| Authenticated interface with exchange or trading functions                     | 1.2×       |\n| Sensitive data exposed (session tokens, keys)                                  | 1.3×       |\n| Full compromise via desktop client (token theft + bypassing protections)       | 1.4×       |\n\n#Quality \u0026 Context Modifiers\n\n### Additional Factors\n\n| Factor                | Range\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; | Description                                                                 |\n|------------------------|----------------|-----------------------------------------------------------------------------|\n| Exploit Reliability    | 0.5–1.0×  | Is the issue consistently reproducible? Reports that are unstable or device-specific may receive lower payouts. |\n| User interaction       | 0.5–1.0×  | How many steps must a victim take? Exploits requiring multiple clicks, context switches, or unusual actions may reduce payout. |\n| Exposure / coverage    | 0.3–1.0× | Does the issue affect most users, or only a very narrow cohort or edge case? Broader impact tends toward higher payouts within the band. |\n| Mitigation proximity   | 0.5–1.0× | Do existing controls (rate limits, approvals, alerts) significantly limit the practical risk? If so, payouts may be lowered. |\n\n# Vulnerability Evaluation Process\n**Step 1: Triage** for validity, reproducibility, and scope\n**Step 2: CVSS Baseline** - Apply CVSS where applicable\n**Step 3: Business Risk Evaluation **\n**Step 4: Quality \u0026 Context Modifiers**\n**Final Reward Tier** = Technical Severity + Business Impact + Quality \u0026 Context Modifiers\n\n# Reward Bonuses\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\n# Known issues\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-14T05:00:27.887Z"},{"id":3764561,"new_policy":"About OKG:\n==============\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\n# Response Targets\nOKG will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nNote: The classifications below are not exhaustive. If a valid vulnerability does not appear in this list, OKX will assess its severity and bounty eligibility using CVSS v3.1 and internal business impact analysis. This ensures fair and transparent evaluation of novel, creative, or edge-case vulnerabilities that may not be explicitly documented here.\n\n## Web2 Vulnerabilities\nFocus: Issues found on OKG web platforms (e.g., okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKX servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKX’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users\n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- Account Access at Scale: Unauthorised access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorised access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Vulnerabilities\nFocus: Issues found in OKX official mobile apps.\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKX infrastructure.\n- Mass Data Breach: Unauthorised access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorised asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking sensitive information stored or processed by the app.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorised transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorised Operations: Performing unauthorised transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorised access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\nFocus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High\n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorised access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\nFocus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.\n\n### Critical\n- Remote exploits on validators/contracts or admin takeovers.\n- Execute code on production infrastructure\n- Steal funds or exfiltrate sensitive data at scale\n- Fully bypass authentication or authorisation protections\n- Affect a majority of users, systems, or business-critical functions\n\n### High\n- Unauthorised access to sensitive user data or funds in limited scope\n- Takeover of accounts with specific user interaction\n- Smart contract exploits with financial impact requiring specific states\n\n### Medium\n- Smart contract bugs that require manual triggering and do not result in loss of funds directly\n- Wallet address manipulation that alters front-end display but not the transaction outcome\n- Replay of previously signed messages that need complex setup\n- Incorrect use of chainID, nonce, or gas calculations that lead to inefficiencies\n- DApp permission misuse that prompts for overbroad approvals, but user must accept\n\n### Low\n- RPC metadata disclosure without sensitive data or elevated access\n- Node instability causing UI refresh or sync delays, not affecting tx execution\n- Minor signature validation errors that cannot bypass permission\n- Smart contract function visibility issues (e.g., public vs external) that don’t affect logic\n- Typos or inaccurate dApp UI rendering not tied to transaction outcome\n\n---\n## Additional Guidelines\n- IDOR: Must demonstrate ID discovery path, not brute force only\n- Mobile: Report once per vulnerability across platforms (iOS/Android)\n- Wallet Extensions: Report once per vulnerability across platforms (Chrome/Edge/Safari)\n- Duplicates: Same issue in multiple assets = one report\n- False positives, low business impact, or non-exploitable bugs will not be rewarded but may be acknowledged\n\n---\n\n## Out of Scope\n- Reports from automated tools or scanners\n- False positive SQL Injection without a working PoC demonstrating DB/user name extraction\n- Spam vulnerabilities, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable libraries/components without a working PoC\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated or low-impact forms\n- Attacks requiring MITM, root/jailbreak, or physical access to a user’s device\n- Previously known vulnerable libraries without a working PoC\n- CSV injection without demonstrating exploitation\n- Missing SSL/TLS best practices (e.g. weak ciphers, protocol versions)\n- Denial of Service (DoS) or service disruption attempts\n- Content spoofing or text injection without HTML/CSS modification or attack vector\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing Content Security Policy best practices\n- Missing HttpOnly or Secure cookie flags\n- Missing or invalid SPF/DKIM/DMARC records\n- Vulnerabilities affecting only outdated/unpatched browsers (older than 2 stable versions)\n- Software version disclosure, banner info, stack traces, or verbose errors\n- Public 0-days with patches released less than 1 month ago (case-by-case)\n- Tabnabbing\n- Vulnerabilities requiring unlikely user interaction\n- Vulnerabilities already known to internal teams\n- Best practice recommendations (e.g. hardening suggestions)\n- WordPress-related vulnerabilities\n- DLL hijacking without demonstrating privilege escalation\n- Rate-limit bypass by simply changing IP address or device ID\n- Address bar, URL, or domain spoofing within mobile in-app browsers (e.g., dApp or WebView-based browsers)\n- Sensitive data exposure on social media\n- Internal domain takeovers outside okx.com, okg.com, or oklink.com\n- Clients (desktop/mobile) not downloaded from official sources in scope\n- Proof of Reserves being reported as “sensitive document” leak\n- Reports based only on static analysis of binaries without PoC affecting business logic\n- Lack of obfuscation, binary protection, or jailbreak/root detection\n- Certificate pinning bypass on rooted/jailbroken devices\n- Missing exploit mitigations (e.g., PIE, ARC, Stack Canaries)\n- Sensitive data in URLs or request bodies when protected by TLS\n- Path disclosure in binaries\n- Hardcoded/recoverable app secrets in IPA/APK without business impact\n- Sensitive data stored in private app directory\n- App crashes from malformed URL schemes or exported components\n- Runtime exploits only possible in a rooted/jailbroken environment (e.g., via Frida)\n- Leaked shared links via clipboard\n- URI leaks caused by malicious apps with permissions\n- Exposure of API keys without demonstrated security impact (e.g., Google Maps API keys or keys found in our public GitHub repositories)\n- Third-party services (unless explicitly allowed)\n- Social engineering, spam, and physical attacks\n- Attacks requiring MITM or root/jailbreak access\n- Services not owned by OKX (e.g., cloud provider vulnerabilities)\n- Mobile/Desktop apps not downloaded from official channels\n\n# Discretionary “Extreme” Tier Bounties\nWhile our standard reward structure follows CVSS and business impact tiers (Low to Critical), OKX reserves the right to award **Extreme Tier bounties** at our sole discretion.\nExtreme Tier rewards are not tied to a fixed scoring scale. They reflect **extraordinary, edge-case vulnerabilities** with systemic or existential risk to OKX.\n\n**Criteria \u0026 Impact Examples**\n*   Rapid and unauthorised loss of funds \u003e $1 million (Example: exploit drains wallets, bypasses fund protections)\n*   Zero-interaction compromise of multiple wallets, admin systems, or validators\n*   Massive KYC/PII data breach with direct regulatory or reputational impact (Example: exposure of sensitive customer data, financial information)\n*   Systemic risk to platform availability, public trust, or market stability (Example: mass user account takeover, automated abuse of authentication flows)\n\n**Reward Range**\n*   **$90,000 up to $1,000,000+**, depending on severity, exploitability, and impact.\n*   Evaluated case-by-case using OKX’s internal incident response process.\n\n**Additional Considerations**\n*   Researcher reward decisions also take into account **technical complexity**, **speed of reporting**, **integrity**, and **responsible disclosure practices**.\n\n# Business Risk Scoring Guide\nNote: To ensure fairness when evaluating vulnerabilities that do not directly affect funds, OKX uses a weighted business impact model that considers Fund Impact, Reputation Risk, and Compliance Risk. Business-risk multipliers adjust placement within the payout range of the assigned severity band; they do not move a report to another band.\n\n### Web2\n\n| Context / Surface                                              | Multiplier |\n|---------------------------------------------------------------|------------|\n| Static unauthenticated pages (marketing, FAQ, terms)           | 1.0×   |\n| Login/register/reset flows with minor issues (open redirect)   | 1.1×  |\n| Authenticated user dashboard (no sensitive data)               | 1.2×       |\n| Authenticated page with PII, order history, personal data      | 1.3×       |\n| Session compromise (stealing cookies/JWTs)                     | 1.3×       |\n| Authenticated page handling account/fund actions (withdrawal, API, trading) | 1.4× |\n| Admin panel or internal tool with sensitive operations | 1.5× |\n\n### Web3\n\n| Context / Surface                                                                  | Multiplier |\n|-----------------------------------------------------------------------------------|------------|\n| Wallet connect / signature request with no security impact                         | 1.0×       |\n| dApp UI with reflected input but no transaction risk                               | 1.1×       |\n| dApp (wallet-connected) leaking balances or transaction history                    | 1.2×       |\n| dApp allowing spoofed signature prompts / phishing-style UX                        | 1.3×       |\n| Smart contract dashboards (staking, governance, etc.) with sensitive UI actions    | 1.4×       |\n| XSS leading to wallet signature hijack / transaction injection                     | 1.5×       |\n\n### Mobile\n\n| Context / Surface                                                           | Multiplier |\n|-----------------------------------------------------------------------------|------------|\n| UI issues, clipboard access without sensitive data                          | 1.0×       |\n| Exposure of non-sensitive info (OS version, device model)                   | 1.1×       |\n| Authenticated views with general account data                               | 1.2×       |\n| Sensitive data exposed via logging, screenshots, or memory                  | 1.3×       |\n| WebView issues affecting auth/transaction flow or phishing                  | 1.4×       |\n| Authenticated views with fund transfer, session token, or private key exposure | 1.5×    |\n\n### Desktop\n\n| Context / Surface                                                               | Multiplier |\n|--------------------------------------------------------------------------------|------------|\n| UI bugs, crash reports, logs without sensitive data                            | 1.0×       |\n| DLL hijack with proven privilege escalation path                               | 1.1×       |\n| Authenticated interface with exchange or trading functions                     | 1.2×       |\n| Sensitive data exposed (session tokens, keys)                                  | 1.3×       |\n| Full compromise via desktop client (token theft + bypassing protections)       | 1.4×       |\n\n#Quality \u0026 Context Modifiers\n\n### Additional Factors\n\n| Factor                | Range\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp;\u0026nbsp; | Description                                                                 |\n|------------------------|----------------|-----------------------------------------------------------------------------|\n| Exploit Reliability    | 0.5–1.0×  | Is the issue consistently reproducible? Reports that are unstable or device-specific may receive lower payouts. |\n| User interaction       | 0.5–1.0×  | How many steps must a victim take? Exploits requiring multiple clicks, context switches, or unusual actions may reduce payout. |\n| Exposure / coverage    | 0.3–1.0× | Does the issue affect most users, or only a very narrow cohort or edge case? Broader impact tends toward higher payouts within the band. |\n| Mitigation proximity   | 0.5–1.0× | Do existing controls (rate limits, approvals, alerts) significantly limit the practical risk? If so, payouts may be lowered. |\n\n# Vulnerability Evaluation Process\n**Step 1: Triage** for validity, reproducibility, and scope\n**Step 2: CVSS Baseline** - Apply CVSS where applicable\n**Step 3: Business Risk Evaluation **\n**Step 4: Quality \u0026 Context Modifiers**\n**Final Reward Tier** = Technical Severity + Business Impact + Quality \u0026 Context Modifiers\n\n# Reward Bonuses\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\nKnown issues\n===\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n===\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-14T04:57:28.129Z"},{"id":3758354,"new_policy":"About OKG:\n==============\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\n# Response Targets\nOKG will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\n## Web2 Vulnerabilities\n*Focus: Issues found on OKG web platforms (e.g., okx.com).  *\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKG servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKG’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users \n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorized asset actions.\n- Account Access at Scale: Unauthorized access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorized access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Application Vulnerabilities\n*Focus: Issues found in OKX official mobile apps. *\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKX infrastructure.\n- Mass Data Breach: Unauthorized access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorized asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking encrypted or sensitive information stored or processed by the app.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorized transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorized Operations: Performing unauthorized transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorized access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n- Transaction Disruptions: Application flaws that interfere with trade, deposit, or withdrawal flows.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\n*Focus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).  *\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High \n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorized access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\n*Focus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.  *\n\n### Extreme\n*Criteria: Affects all of users, \u003e60 min downtime, or \u003e$500K potential loss.*\n- Zero-interaction mass compromise of funds/private keys or large-scale data breaches.  \n\n### Critical\n*Criteria: Affects \u003e50% of users, \u003e15 min downtime, or \u003e$100K potential loss.*\n- Remote exploits on validators/contracts or admin takeovers.  \n\n### High\n*Criteria: Affects \u003e30% of users, \u003e10 min downtime, or \u003e$50K potential loss.*\n- Validator issues, fund logic flaws, or code leaks.  \n\n### Medium\n*Criteria: Requires interaction or limited scope.*\n- Interaction-based wallet exploits or transaction disruptions.  \n\n### Low\n*Criteria: Minimal impact or exploitability.*\n- Node stability issues or minor leaks.\n\nOther classifications\n====================\nIDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\nWeb3 Wallet Extensions reports\n- The wallet extensions share the same codebase. Therefore, if you identify a vulnerability, submitting a single report for any one wallet is sufficient. Submitting the same vulnerability report for another wallet extension will be considered a duplicate and will not be eligible for separate rewards.\n\nMobile application reports\n- Submitting a single report for any one of the mobile applications is sufficient. Submitting the same vulnerability report for another mobile application will be considered a duplicate and will not be eligible for separate rewards.\n\nAdditional notes\n- In addition to identified vulnerabilities, we appreciate you reporting any broken links, potential Denial-of-Service (DoS) vulnerabilities, or leaked credentials you encounter during your research.\n- Please note that we will review these findings on a case-by-case basis to determine if they are eligible for a bounty award.\n\n------\n\nOUT OF SCOPE – WEB / DESKTOP CLIENT VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device\n- Previously known vulnerable libraries without a working Proof of Concept\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability\n- Missing best practices in SSL/TLS configuration\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated\n- Wordpress related vulnerability\n- DLL hijacking reports that fail to demonstrate how they achieve elevated privileges.\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n- Sensitive data exposure on social media accounts\n- Internal domain takeovers that are not okx.com / okg.com / oklink.com\n- Reports with desktop client versions not downloaded from our official sites listed in our scope\n- Proof of reserves being reported as \"sensitive document\" leak\n- Sensitive information leak from web archive / wayback machine\n- Broken link / social media account takeovers \n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida / Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n- Reports with mobile versions not downloaded from official sites listed in our scope\n\n--- \n\nReward List \n===\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\nKnown issues\n===\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n===\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-30T09:42:42.271Z"},{"id":3757855,"new_policy":"About OKG:\n==============\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\n# Response Targets\nOKG will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\n## Web2 Vulnerabilities\n*Focus: Issues found on OKG web platforms (e.g., okx.com).  *\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKG servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKG’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users \n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorized asset actions.\n- Account Access at Scale: Unauthorized access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorized access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Application Vulnerabilities\n*Focus: Issues found in OKX official mobile apps. *\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKX infrastructure.\n- Mass Data Breach: Unauthorized access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorized asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking encrypted or sensitive information stored or processed by the app.\n- Transaction Disruptions: Application flaws that interfere with trade, deposit, or withdrawal flows.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorized transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorized Operations: Performing unauthorized transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorized access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\n*Focus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).  *\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High \n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorized access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\n*Focus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.  *\n\n### Extreme\n*Criteria: Affects all of users, \u003e60 min downtime, or \u003e$500K potential loss.*\n- Zero-interaction mass compromise of funds/private keys or large-scale data breaches.  \n\n### Critical\n*Criteria: Affects \u003e50% of users, \u003e15 min downtime, or \u003e$100K potential loss.*\n- Remote exploits on validators/contracts or admin takeovers.  \n\n### High\n*Criteria: Affects \u003e30% of users, \u003e10 min downtime, or \u003e$50K potential loss.*\n- Validator issues, fund logic flaws, or code leaks.  \n\n### Medium\n*Criteria: Requires interaction or limited scope.*\n- Interaction-based wallet exploits or transaction disruptions.  \n\n### Low\n*Criteria: Minimal impact or exploitability.*\n- Node stability issues or minor leaks.\n\nOther classifications\n====================\nIDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\nWeb3 Wallet Extensions reports\n- The wallet extensions share the same codebase. Therefore, if you identify a vulnerability, submitting a single report for any one wallet is sufficient. Submitting the same vulnerability report for another wallet extension will be considered a duplicate and will not be eligible for separate rewards.\n\nMobile application reports\n- Submitting a single report for any one of the mobile applications is sufficient. Submitting the same vulnerability report for another mobile application will be considered a duplicate and will not be eligible for separate rewards.\n\nAdditional notes\n- In addition to identified vulnerabilities, we appreciate you reporting any broken links, potential Denial-of-Service (DoS) vulnerabilities, or leaked credentials you encounter during your research.\n- Please note that we will review these findings on a case-by-case basis to determine if they are eligible for a bounty award.\n\n------\n\nOUT OF SCOPE – WEB / DESKTOP CLIENT VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device\n- Previously known vulnerable libraries without a working Proof of Concept\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability\n- Missing best practices in SSL/TLS configuration\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated\n- Wordpress related vulnerability\n- DLL hijacking reports that fail to demonstrate how they achieve elevated privileges.\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n- Sensitive data exposure on social media accounts\n- Internal domain takeovers that are not okx.com / okg.com / oklink.com\n- Reports with desktop client versions not downloaded from our official sites listed in our scope\n- Proof of reserves being reported as \"sensitive document\" leak\n- Sensitive information leak from web archive / wayback machine\n- Broken link / social media account takeovers \n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida / Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n- Reports with mobile versions not downloaded from official sites listed in our scope\n\n--- \n\nReward List \n===\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\nKnown issues\n===\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n===\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-20T07:31:09.805Z"},{"id":3757853,"new_policy":"About OKX: \n=========\nFounded in 2017, OKX is one of the world’s leading cryptocurrency spot and derivatives exchanges. OKX innovatively adopted blockchain technology to reshape the financial ecosystem by offering some of the most diverse and sophisticated products, solutions, and trading tools on the market. Trusted by more than 20 million users in over 180 regions globally, OKX strives to provide an engaging platform that empowers every individual to explore the world of crypto.\n\n# Response Targets\nOKX will make a best effort to meet the following SLAs for hackers participating in our program.\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\n## Web2 Vulnerabilities\n*Focus: Issues found on OKX web platforms (e.g., okx.com).  *\n\n### Critical\n- Remote Code Execution (RCE): Executing arbitrary code on OKX servers\n- SQL Injection (Core DB): Large-scale data access/modification in OKX’s core production database\n- Admin Backend Takeover: Gaining critical admin privileges\n- Mass Account Takeover: Systemic takeover of a large portion of user accounts, typically affecting \u003e50% of users \n- System Command Execution: Running OS commands on servers\n\n### High\n- Stored XSS Worms: Self-replicating cross-site scripting on critical user-facing pages.\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorized asset actions.\n- Account Access at Scale: Unauthorized access to multiple user accounts due to flaws in authentication or authorization logic.\n- SQL Injection (Limited): Extracting specific sensitive data\n- Source Code Leakage: Exposure of significant backend or internal source code\n- SSRF (Contextual Impact): SSRF that reaches internal services (SSRF severity is dependent on the impact of the internal access achieved.)\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting requiring user interaction to trigger.\n- CSRF (Core Business): CSRF targeting non-critical business actions.\n- Auth Bypass (Limited): Unauthorized access to backend or user data without financial impact.\n- Subdomain Takeover: Control of unused subdomains with reputational or phishing risk.\n- Verification Code Flaws: Weaknesses in login or password reset verification logic.\n- Sensitive Data Exposure: Disclosure of encrypted or internal user data through accessible interfaces.\n- Cleartext Credentials: Hardcoded credentials in source code or configuration files, excluding API keys.\n\n### Low\n- Reflected XSS: Non-persistent cross-site scripting in URLs or parameters.\n- DOM/Flash XSS: Client-side cross-site scripting with no backend interaction.\n- Open Redirects: Redirecting users to external domains without validation.\n- General Info Leaks: Exposure of internal paths, directories, or debug interfaces.\n- Common CSRF: CSRF targeting non-sensitive user actions.\n- HTTP Header Manipulation: Modifying headers with low impact, such as cache behavior or redirects.\n\n## Mobile Application Vulnerabilities\n*Focus: Issues found in OKX official mobile apps. *\n\n### Critical\n- Remote Exploits: Remote compromise of app integrity or execution of code on OKX infrastructure.\n- Mass Data Breach: Unauthorized access to large volumes of user data through application flaws.\n- Admin Privilege Takeover: Gaining backend administrative access via mobile vectors.\n- System Command Execution: Executing operating system commands on application servers.\n- SQL/NoSQL Injection : Exploiting mobile API endpoints to manipulate backend database queries, leading to mass exfiltration/modification of sensitive data (PII, financial info, credentials) or backend system compromise.\n\n### High\n- CSRF (Critical Actions): CSRF that leads to account compromise or unauthorized asset actions.\n- SSRF (Contextual Impact): SSRF accessing internal systems or services via mobile endpoints.\n- Sensitive Data Exposure: Leaking encrypted or sensitive information stored or processed by the app.\n- Transaction Disruptions: Application flaws that interfere with trade, deposit, or withdrawal flows.\n- Logic Flaws (Fund Impact): Exploiting application logic to manipulate balances or perform unauthorized transactions.\n- Source Code Leakage: Exposure of significant application source code.\n- Unauthorized Operations: Performing unauthorized transactions or financial operations through app exploits.\n\n### Medium\n- Stored XSS (Interaction): Persistent cross-site scripting within mobile app components that requires user interaction.\n- CSRF (Core Business): Cross-site request forgery targeting non-critical business logic.\n- Auth Bypass (Limited): Unauthorized access to user data or configurations without financial impact.\n- Local Storage Leaks: Disclosure of sensitive app-stored data, such as session tokens or encrypted credentials.\n- Verification Flaws: Weaknesses in OTP, login, or reset mechanisms due to insufficient validation or rate limiting.\n- Cleartext Credentials: Hardcoded secrets in app files, excluding API keys.\n\n### Low\n- Component Exposure: Unintended exposure of app components, such as exported Android activities or iOS services.\n- Open Redirects: Unvalidated redirects in app flows.\n- HTTP Header Issues: Minor header manipulation with negligible impact.\n\n## Desktop Clients Vulnerabilities\n*Focus: Issues found in OKX desktop clients - Windows / MacOS (downloaded from okx.com).  *\n\n### Critical\n- Remote Code Execution (RCE): Execution of arbitrary code on the client or connected server via the desktop application.\n- Admin Privilege Takeover: Gaining backend administrative control through the client (e.g., server-side SSRF).\n- System Command Execution: Execution of operating system commands on the client or backend server via misconfigurations or unsafe input handling.\n\n### High \n- CSRF (Account Takeover or Fund Transfers): Forged client requests that result in critical authenticated actions.\n- SSRF (Contextual Impact): Forged requests from the app to internal services.\n- Sensitive Data Exposure: Exposure of encrypted seeds or local sensitive data via app functionality.\n- Transaction Disruptions: Client-side bugs that prevent valid trading, deposits, or withdrawals.\n- Logic Flaws (Fund Impact): Exploiting client-side logic to manipulate account balances or transfer behaviors.\n\n### Medium\n- CSRF (Core Business): Forging non-sensitive client actions, such as settings changes.\n- Auth Bypass (Limited): Gaining unauthorized access to user-level configurations or restricted client views.\n- Local Storage Leaks: Exposure of exploitable data stored by the client, such as session tokens or authentication secrets, without adequate protection or access control.\n- Cleartext Credentials: Hardcoded secrets (excluding API keys) embedded in client configurations or binaries.\n\n### Low\n- Local DoS: Crashing the desktop app via malformed files or inputs.\n- Minor Misconfigurations: Exposure of temporary or local files with no sensitive data or direct exploitability.\n\n## Web3 Vulnerabilities\n*Focus: Issues affecting OKX Web3 Wallet, blockchain infrastructure, or funds.  *\n\n### Extreme\n*Criteria: Affects all of users, \u003e60 min downtime, or \u003e$500K potential loss.*\n- Zero-interaction mass compromise of funds/private keys or large-scale data breaches.  \n\n### Critical\n*Criteria: Affects \u003e50% of users, \u003e15 min downtime, or \u003e$100K potential loss.*\n- Remote exploits on validators/contracts or admin takeovers.  \n\n### High\n*Criteria: Affects \u003e30% of users, \u003e10 min downtime, or \u003e$50K potential loss.*\n- Validator issues, fund logic flaws, or code leaks.  \n\n### Medium\n*Criteria: Requires interaction or limited scope.*\n- Interaction-based wallet exploits or transaction disruptions.  \n\n### Low\n*Criteria: Minimal impact or exploitability.*\n- Node stability issues or minor leaks.\n\nOther classifications\n====================\nIDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\nWeb3 Wallet Extensions reports\n- The wallet extensions share the same codebase. Therefore, if you identify a vulnerability, submitting a single report for any one wallet is sufficient. Submitting the same vulnerability report for another wallet extension will be considered a duplicate and will not be eligible for separate rewards.\n\nMobile application reports\n- Submitting a single report for any one of the mobile applications is sufficient. Submitting the same vulnerability report for another mobile application will be considered a duplicate and will not be eligible for separate rewards.\n\nAdditional notes\n- In addition to identified vulnerabilities, we appreciate you reporting any broken links, potential Denial-of-Service (DoS) vulnerabilities, or leaked credentials you encounter during your research.\n- Please note that we will review these findings on a case-by-case basis to determine if they are eligible for a bounty award.\n\n------\n\nOUT OF SCOPE – WEB / DESKTOP CLIENT VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device\n- Previously known vulnerable libraries without a working Proof of Concept\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability\n- Missing best practices in SSL/TLS configuration\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated\n- Wordpress related vulnerability\n- DLL hijacking reports that fail to demonstrate how they achieve elevated privileges.\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n- Sensitive data exposure on social media accounts\n- Internal domain takeovers that are not okx.com \n- Reports with desktop client versions not downloaded from our official sites listed in our scope\n- Proof of reserves being reported as \"sensitive document\" leak\n- Sensitive information leak from web archive / wayback machine\n- Broken link / social media account takeovers \n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida / Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n- Reports with mobile versions not downloaded from official sites listed in our scope\n\n--- \n\nReward List \n===\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\nKnown issues\n===\nPlease note that the OKX Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n===\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKX and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":["{\"platform_standard\":\"IDOR\",\"justification\":null}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-20T07:10:05.981Z"},{"id":3748690,"new_policy":"About OKG: \n=========\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets:\n==============\nOKG will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities affecting critical assets, which can lead to severe business interruptions, affecting all users, systems or services unavailable for more than 60 minutes, resulting in potential economic losses of more than 500K USD\n- Or allow unauthorized access to the following content:\n  - Any vulnerability that leads to the mass compromise of OKX exchange account funds or OKX Web3 wallet funds and private keys, requiring zero interaction from victims, and allowing an attacker to access and control funds from multiple OKX exchange accounts or Web3 wallets at will\n  - Any vulnerability that leads to potential large-scale data breaches (including but not limited to user data) which results in potential regulatory penalties as well as financial and reputational losses for the company\n\nCritical\n- Vulnerabilities affecting critical assets, which can lead to business interruption, affecting more than 50% of users, system or service unavailability for more than 15 minutes, resulting in potential economic losses of more than 100K USD\n- Vulnerabilities that may, under certain conditions, compromise the security of funds or fees of certain types of users or validators, or significantly weaken the token economy or trading mechanism\n- Vulnerabilities caused by remote code execution of OKX's official blockchain infrastructure and services, as well as fund security affecting on-chain contracts\n- Manipulation of multiple machines on the blockchain validator or intranet\n- Gaining control of critical back-end primary administrator privileges, leading to serious consequences such as widespread exposure of critical business information\n- Vulnerabilities caused by system command execution\n\nHigh\n- Vulnerabilities affecting critical assets, which can lead to business interruption, affecting more than 30% of users, system or service unavailability for more than 10 minutes, resulting in potential economic losses of more than 50K USD.\n- Vulnerabilities that compromise blockchain validators and their performance\n- SQL injection\n- Unauthorized access to sensitive data, including but not limited to bypass authentication to access the backend, backend weak passwords, SSRF to obtain large amounts of sensitive information from the intranet (Server-Side Request Forgery)\n- Unauthorized operation of funds, bypassing payment logic (successfully executed)\n- Serious logical design and process vulnerabilities, including but not limited to allowing random user login, massive modification of account passwords, and logical vulnerabilities that endanger the company's critical business\n- Other vulnerabilities that could have a large-scale impact on users, including but not limited to stored XSS (Cross Site Scripting) worms for important pages\n- Substantial leakage of source codes\n- Unauthorized access to interfaces or services containing sensitive data from users\n\nMedium\n- Vulnerabilities that affect users through interaction, including stored XSS, CSRF (cross-site request forgery) of core businesses\n- Unauthorized operations, including but not limited to bypassing authentication to modify user information, modifying user configurations\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Local storage sensitive encrypted data leakage (effective utilization)\n- Vulnerabilities that lead to transactions and deposits disruptions, such as inability to cancel orders, place orders, account history errors\n- Subdomain takeover\n- Clear text password, clear text AK/SK hardcoding in code file or configuration file\n- Unauthorized access to interfaces or services that do not contain sensitive user data\n\nLow\n- Vulnerabilities that may affect the stability or availability of OKC-related nodes\n- Local denial of service vulnerabilities, including but not limited to local denial of service vulnerabilities in the client application (caused by file format and network protocol parsing), Android component access exposure, and general application access-related issues\n- General information leakage, including but not limited to web path traversal, system path traversal, directory browsing\n- Reflected XSS (including DOM XSS/Flash XSS)\n- Common CSRF\n- Open redirection vulnerabilities\n- Social media account takeover (for accounts found on community page, or within the header or footer sections of OKX webpage)\n- HTTP Header Manipulation Vulnerability\n\nOther classifications\n=============================\nIDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\nBroken link reports\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page, or within the header or footer sections of OKX webpage, will be considered in scope. \n- Broken links or takeover of social media accounts found in Help / Support / Learn articles are out of scope.\n- Third party broken links found on articles or social media channels will be considered out of scope.\n- All other broken links not mentioned will be considered out of scope.\n\nWeb3 Wallet Extensions reports\n- The wallet extensions share the same codebase. Therefore, if you identify a vulnerability, submitting a single report for any one wallet is sufficient. Submitting the same vulnerability report for another wallet extension will be considered a duplicate and will not be eligible for separate rewards.\n\nMobile application reports\n- Submitting a single report for any one of the mobile applications is sufficient. Submitting the same vulnerability report for another mobile application will be considered a duplicate and will not be eligible for separate rewards.\n\nAdditional notes\n- In addition to identified vulnerabilities, we appreciate you reporting any broken links, potential Denial-of-Service (DoS) vulnerabilities, or leaked credentials you encounter during your research.\n- Please note that we will review these findings on a case-by-case basis to determine if they are eligible for a bounty award.\n\n------\n\nOUT OF SCOPE – WEB / DESKTOP CLIENT VULNERABILITIES\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL / TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector / without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF / DKIM / DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n- DLL hijacking reports that fail to demonstrate how they achieve elevated privileges.\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n- Sensitive data exposure on social media accounts\n- Internal domain takeovers that are not okx.com \n- Reports with desktop client versions not downloaded from our official sites listed in our scope\n- Proof of reserves being reported as \"sensitive document\" leak\n- Sensitive information leak from web archive / wayback machine\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root / jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation / binary protection / root (jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs / request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded / recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity / Service / Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida / Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n- Reports with mobile versions not downloaded from official sites listed in our scope\n\n------\n\nReward List \n==========\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\nKnown issues\n==========\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-24T07:37:52.951Z"},{"id":3747989,"new_policy":"About OKG: \n=========\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets:\n==============\nOKG will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities affecting critical assets, which can lead to severe business interruptions, affecting all users, systems or services unavailable for more than 60 minutes, resulting in potential economic losses of more than 500K USD\n- Or allow unauthorized access to the following content:\n  - Any vulnerability that leads to the mass compromise of OKX exchange account funds or OKX Web3 wallet funds and private keys, requiring zero interaction from victims, and allowing an attacker to access and control funds from multiple OKX exchange accounts or Web3 wallets at will\n  - Any vulnerability that leads to potential large-scale data breaches (including but not limited to user data) which results in potential regulatory penalties as well as financial and reputational losses for the company\n\nCritical\n- Vulnerabilities affecting critical assets, which can lead to business interruption, affecting more than 50% of users, system or service unavailability for more than 15 minutes, resulting in potential economic losses of more than 100K USD\n- Vulnerabilities that may, under certain conditions, compromise the security of funds or fees of certain types of users or validators, or significantly weaken the token economy or trading mechanism\n- Vulnerabilities caused by remote code execution of OKX's official blockchain infrastructure and services, as well as fund security affecting on-chain contracts\n- Manipulation of multiple machines on the blockchain validator or intranet\n- Gaining control of critical back-end primary administrator privileges, leading to serious consequences such as widespread exposure of critical business information\n- Vulnerabilities caused by system command execution\n\nHigh\n- Vulnerabilities affecting critical assets, which can lead to business interruption, affecting more than 30% of users, system or service unavailability for more than 10 minutes, resulting in potential economic losses of more than 50K USD.\n- Vulnerabilities that compromise blockchain validators and their performance\n- SQL injection\n- Unauthorized access to sensitive data, including but not limited to bypass authentication to access the backend, backend weak passwords, SSRF to obtain large amounts of sensitive information from the intranet (Server-Side Request Forgery)\n- Unauthorized operation of funds, bypassing payment logic (successfully executed)\n- Serious logical design and process vulnerabilities, including but not limited to allowing random user login, massive modification of account passwords, and logical vulnerabilities that endanger the company's critical business\n- Other vulnerabilities that could have a large-scale impact on users, including but not limited to stored XSS (Cross Site Scripting) worms for important pages\n- Substantial leakage of source codes\n- Unauthorized access to interfaces or services containing sensitive data from users\n\nMedium\n- Vulnerabilities that affect users through interaction, including stored XSS, CSRF (cross-site request forgery) of core businesses\n- Unauthorized operations, including but not limited to bypassing authentication to modify user information, modifying user configurations\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Local storage sensitive encrypted data leakage (effective utilization)\n- Vulnerabilities that lead to transactions and deposits disruptions, such as inability to cancel orders, place orders, account history errors\n- Subdomain takeover\n- Clear text password, clear text AK/SK hardcoding in code file or configuration file\n- Unauthorized access to interfaces or services that do not contain sensitive user data\n\nLow\n- Vulnerabilities that may affect the stability or availability of OKC-related nodes\n- Local denial of service vulnerabilities, including but not limited to local denial of service vulnerabilities in the client application (caused by file format and network protocol parsing), Android component access exposure, and general application access-related issues\n- General information leakage, including but not limited to web path traversal, system path traversal, directory browsing\n- Reflected XSS (including DOM XSS/Flash XSS)\n- Common CSRF\n- Open redirection vulnerabilities\n- Social media account takeover (for accounts found on community page, or within the header or footer sections of OKX webpage)\n- HTTP Header Manipulation Vulnerability\n\nOther classifications\n=============================\nIDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\nBroken link reports\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page, or within the header or footer sections of OKX webpage, will be considered in scope. \n- Broken links or takeover of social media accounts found in Help / Support / Learn articles are out of scope.\n- Third party broken links found on articles or social media channels will be considered out of scope.\n- All other broken links not mentioned will be considered out of scope.\n\nWeb3 Wallet Extensions reports\n- The wallet extensions share the same codebase. Therefore, if you identify a vulnerability, submitting a single report for any one wallet is sufficient. Submitting the same vulnerability report for another wallet extension will be considered a duplicate and will not be eligible for separate rewards.\n\nMobile application reports\n- Submitting a single report for any one of the mobile applications is sufficient. Submitting the same vulnerability report for another mobile application will be considered a duplicate and will not be eligible for separate rewards.\n\nAdditional notes\n- In addition to identified vulnerabilities, we appreciate you reporting any broken links, potential Denial-of-Service (DoS) vulnerabilities, or leaked credentials you encounter during your research.\n- Please note that we will review these findings on a case-by-case basis to determine if they are eligible for a bounty award.\n\n------\n\nOUT OF SCOPE – WEB / DESKTOP CLIENT VULNERABILITIES\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL / TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector / without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF / DKIM / DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n- DLL hijacking reports that fail to demonstrate how they achieve elevated privileges.\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n- Sensitive data exposure on social media accounts\n- Internal domain takeovers that are not okx.com \n- Reports with desktop client versions not downloaded from our official sites listed in our scope\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root / jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation / binary protection / root (jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs / request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded / recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity / Service / Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida / Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n- Reports with mobile versions not downloaded from official sites listed in our scope\n\n------\n\nReward List \n==========\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\nKnown issues\n==========\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-14T08:09:45.526Z"},{"id":3747617,"new_policy":"About OKG: \n=========\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets:\n==============\nOKG will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n- Please limit your requests to 5 requests per second.\n- Please do not blast the support centre tickets with too many requests.\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities affecting critical assets, which can lead to severe business interruptions, affecting all users, systems or services unavailable for more than 60 minutes, resulting in potential economic losses of more than 500K USD\n- Or allow unauthorized access to the following content:\n  - Any OKX account funds\n  - Any funds or private keys in OKX Web3 wallet\n  - Any vulnerability that leads to potential large-scale data breaches (including but not limited to user data) which results in potential regulatory penalties as well as financial and reputational losses for the company\n\nCritical\n- Vulnerabilities affecting critical assets, which can lead to business interruption, affecting more than 50% of users, system or service unavailability for more than 15 minutes, resulting in potential economic losses of more than 100K USD\n- Vulnerabilities that may, under certain conditions, compromise the security of funds or fees of certain types of users or validators, or significantly weaken the token economy or trading mechanism\n- Vulnerabilities caused by remote code execution of OKX's official blockchain infrastructure and services, as well as fund security affecting on-chain contracts\n- Manipulation of multiple machines on the blockchain validator or intranet\n- Gaining control of critical back-end primary administrator privileges, leading to serious consequences such as widespread exposure of critical business information\n- Vulnerabilities caused by system command execution\n\nHigh\n- Vulnerabilities affecting critical assets, which can lead to business interruption, affecting more than 30% of users, system or service unavailability for more than 10 minutes, resulting in potential economic losses of more than 50K USD.\n- Vulnerabilities that compromise blockchain validators and their performance\n- SQL injection\n- Unauthorized access to sensitive data, including but not limited to bypass authentication to access the backend, backend weak passwords, SSRF to obtain large amounts of sensitive information from the intranet (Server-Side Request Forgery)\n- Unauthorized operation of funds, bypassing payment logic (successfully executed)\n- Serious logical design and process vulnerabilities, including but not limited to allowing random user login, massive modification of account passwords, and logical vulnerabilities that endanger the company's critical business\n- Other vulnerabilities that could have a large-scale impact on users, including but not limited to stored XSS (Cross Site Scripting) worms for important pages\n- Substantial leakage of source codes\n- Unauthorized access to interfaces or services containing sensitive data from users\n\nMedium\n- Vulnerabilities that affect users through interaction, including stored XSS, CSRF (cross-site request forgery) of core businesses\n- Unauthorized operations, including but not limited to bypassing authentication to modify user information, modifying user configurations\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Local storage sensitive encrypted data leakage (effective utilization)\n- Vulnerabilities that lead to transactions and deposits disruptions, such as inability to cancel orders, place orders, account history errors\n- Subdomain takeover\n- Clear text password, clear text AK/SK hardcoding in code file or configuration file\n- Unauthorized access to interfaces or services that do not contain sensitive user data\n\nLow\n- Vulnerabilities that may affect the stability or availability of OKC-related nodes\n- Local denial of service vulnerabilities, including but not limited to local denial of service vulnerabilities in the client application (caused by file format and network protocol parsing), Android component access exposure, and general application access-related issues\n- General information leakage, including but not limited to web path traversal, system path traversal, directory browsing\n- Reflected XSS (including DOM XSS/Flash XSS)\n- Common CSRF\n- Open redirection vulnerabilities\n- Social media account takeover (for accounts found on community page, or within the header or footer sections of OKX webpage)\n- HTTP Header Manipulation Vulnerability\n\nOther classifications\n=============================\nIDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\nBroken link reports\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page, or within the header or footer sections of OKX webpage, will be considered in scope. \n- Broken links or takeover of social media accounts found in Help / Support / Learn articles are out of scope.\n- Third party broken links found on articles or social media channels will be considered out of scope.\n- All other broken links not mentioned will be considered out of scope.\n\nWeb3 Wallet Extensions reports\n- The wallet extensions share the same codebase. Therefore, if you identify a vulnerability, submitting a single report for any one wallet is sufficient. Submitting the same vulnerability report for another wallet extension will be considered a duplicate and will not be eligible for separate rewards.\n\nMobile application reports\n- Submitting a single report for any one of the mobile applications is sufficient. Submitting the same vulnerability report for another mobile application will be considered a duplicate and will not be eligible for separate rewards.\n\nAdditional notes\n- In addition to identified vulnerabilities, we appreciate you reporting any broken links, potential Denial-of-Service (DoS) vulnerabilities, or leaked credentials you encounter during your research.\n- Please note that we will review these findings on a case-by-case basis to determine if they are eligible for a bounty award.\n\n------\n\nOUT OF SCOPE – WEB / DESKTOP CLIENT VULNERABILITIES\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL / TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector / without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF / DKIM / DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n- DLL hijacking reports that fail to demonstrate how they achieve elevated privileges.\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n- Sensitive data exposure on social media accounts\n- Internal domain takeovers that are not okx.com \n- Reports with desktop client versions not downloaded from our official sites listed in our scope\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root / jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation / binary protection / root (jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs / request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded / recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity / Service / Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida / Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n- Reports with mobile versions not downloaded from official sites listed in our scope\n\n------\n\nReward List \n==========\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\nKnown issues\n==========\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-08T07:27:39.101Z"},{"id":3747607,"new_policy":"About OKG: \n=========\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets:\n==============\nOKG will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities affecting critical assets, which can lead to severe business interruptions, affecting all users, systems or services unavailable for more than 60 minutes, resulting in potential economic losses of more than 500K USD\n- Or allow unauthorized access to the following content:\n  - Any OKX account funds\n  - Any funds or private keys in OKX Web3 wallet\n  - Any vulnerability that leads to potential large-scale data breaches (including but not limited to user data) which results in potential regulatory penalties as well as financial and reputational losses for the company\n\nCritical\n- Vulnerabilities affecting critical assets, which can lead to business interruption, affecting more than 50% of users, system or service unavailability for more than 15 minutes, resulting in potential economic losses of more than 100K USD\n- Vulnerabilities that may, under certain conditions, compromise the security of funds or fees of certain types of users or validators, or significantly weaken the token economy or trading mechanism\n- Vulnerabilities caused by remote code execution of OKX's official blockchain infrastructure and services, as well as fund security affecting on-chain contracts\n- Manipulation of multiple machines on the blockchain validator or intranet\n- Gaining control of critical back-end primary administrator privileges, leading to serious consequences such as widespread exposure of critical business information\n- Vulnerabilities caused by system command execution\n\nHigh\n- Vulnerabilities affecting critical assets, which can lead to business interruption, affecting more than 30% of users, system or service unavailability for more than 10 minutes, resulting in potential economic losses of more than 50K USD.\n- Vulnerabilities that compromise blockchain validators and their performance\n- SQL injection\n- Unauthorized access to sensitive data, including but not limited to bypass authentication to access the backend, backend weak passwords, SSRF to obtain large amounts of sensitive information from the intranet (Server-Side Request Forgery)\n- Unauthorized operation of funds, bypassing payment logic (successfully executed)\n- Serious logical design and process vulnerabilities, including but not limited to allowing random user login, massive modification of account passwords, and logical vulnerabilities that endanger the company's critical business\n- Other vulnerabilities that could have a large-scale impact on users, including but not limited to stored XSS (Cross Site Scripting) worms for important pages\n- Substantial leakage of source codes\n- Unauthorized access to interfaces or services containing sensitive data from users\n\nMedium\n- Vulnerabilities that affect users through interaction, including stored XSS, CSRF (cross-site request forgery) of core businesses\n- Unauthorized operations, including but not limited to bypassing authentication to modify user information, modifying user configurations\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Local storage sensitive encrypted data leakage (effective utilization)\n- Vulnerabilities that lead to transactions and deposits disruptions, such as inability to cancel orders, place orders, account history errors\n- Subdomain takeover\n- Clear text password, clear text AK/SK hardcoding in code file or configuration file\n- Unauthorized access to interfaces or services that do not contain sensitive user data\n\nLow\n- Vulnerabilities that may affect the stability or availability of OKC-related nodes\n- Local denial of service vulnerabilities, including but not limited to local denial of service vulnerabilities in the client application (caused by file format and network protocol parsing), Android component access exposure, and general application access-related issues\n- General information leakage, including but not limited to web path traversal, system path traversal, directory browsing\n- Reflected XSS (including DOM XSS/Flash XSS)\n- Common CSRF\n- Open redirection vulnerabilities\n- Social media account takeover (for accounts found on community page, or within the header or footer sections of OKX webpage)\n- HTTP Header Manipulation Vulnerability\n\nOther classifications\n=============================\nIDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\nBroken link reports\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page, or within the header or footer sections of OKX webpage, will be considered in scope. \n- Broken links or takeover of social media accounts found in Help / Support / Learn articles are out of scope.\n- Third party broken links found on articles or social media channels will be considered out of scope.\n- All other broken links not mentioned will be considered out of scope.\n\nWeb3 Wallet Extensions reports\n- The wallet extensions share the same codebase. Therefore, if you identify a vulnerability, submitting a single report for any one wallet is sufficient. Submitting the same vulnerability report for another wallet extension will be considered a duplicate and will not be eligible for separate rewards.\n\nMobile application reports\n- Submitting a single report for any one of the mobile applications is sufficient. Submitting the same vulnerability report for another mobile application will be considered a duplicate and will not be eligible for separate rewards.\n\nAdditional notes\n- In addition to identified vulnerabilities, we appreciate you reporting any broken links, potential Denial-of-Service (DoS) vulnerabilities, or leaked credentials you encounter during your research.\n- Please note that we will review these findings on a case-by-case basis to determine if they are eligible for a bounty award.\n\n------\n\nOUT OF SCOPE – WEB / DESKTOP CLIENT VULNERABILITIES\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL / TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector / without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF / DKIM / DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n- DLL hijacking reports that fail to demonstrate how they achieve elevated privileges.\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root / jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation / binary protection / root (jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs / request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded / recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity / Service / Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida / Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n\n------\n\nReward List \n==========\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\nKnown issues\n==========\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-08T06:41:44.365Z"},{"id":3747606,"new_policy":"About OKG: \n=========\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets:\n==============\nOKG will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities affecting critical assets, which can lead to severe business interruptions, affecting all users, systems or services unavailable for more than 60 minutes, resulting in potential economic losses of more than 500K USD\n- Or allow unauthorized access to the following content:\n  - Any OKX account funds\n  - Any funds or private keys in OKX Web3 wallet\n  - Any vulnerability that leads to potential large-scale data breaches (including but not limited to user data) which results in potential regulatory penalties as well as financial and reputational losses for the company\n\nCritical\n- Vulnerabilities affecting critical assets, which can lead to business interruption, affecting more than 50% of users, system or service unavailability for more than 15 minutes, resulting in potential economic losses of more than 100K USD\n- Vulnerabilities that may, under certain conditions, compromise the security of funds or fees of certain types of users or validators, or significantly weaken the token economy or trading mechanism\n- Vulnerabilities caused by remote code execution of OKX's official blockchain infrastructure and services, as well as fund security affecting on-chain contracts\n- Manipulation of multiple machines on the blockchain validator or intranet\n- Gaining control of critical back-end primary administrator privileges, leading to serious consequences such as widespread exposure of critical business information\n- Vulnerabilities caused by system command execution\n\nHigh\n- Vulnerabilities affecting critical assets, which can lead to business interruption, affecting more than 30% of users, system or service unavailability for more than 10 minutes, resulting in potential economic losses of more than 50K USD.\n- Vulnerabilities that compromise blockchain validators and their performance\n- SQL injection\n- Unauthorized access to sensitive data, including but not limited to bypass authentication to access the backend, backend weak passwords, SSRF to obtain large amounts of sensitive information from the intranet (Server-Side Request Forgery)\n- Unauthorized operation of funds, bypassing payment logic (successfully executed)\n- Serious logical design and process vulnerabilities, including but not limited to allowing random user login, massive modification of account passwords, and logical vulnerabilities that endanger the company's critical business\n- Other vulnerabilities that could have a large-scale impact on users, including but not limited to stored XSS (Cross Site Scripting) worms for important pages\n- Substantial leakage of source codes\n- Unauthorized access to interfaces or services containing sensitive data from users\n\nMedium\n- Vulnerabilities that affect users through interaction, including stored XSS, CSRF (cross-site request forgery) of core businesses\n- Unauthorized operations, including but not limited to bypassing authentication to modify user information, modifying user configurations\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Local storage sensitive encrypted data leakage (effective utilization)\n- Vulnerabilities that lead to transactions and deposits disruptions, such as inability to cancel orders, place orders, account history errors\n- Subdomain takeover\n- Clear text password, clear text AK/SK hardcoding in code file or configuration file\n- Unauthorized access to interfaces or services that do not contain sensitive user data\n\nLow\n- Vulnerabilities that may affect the stability or availability of OKC-related nodes\n- Local denial of service vulnerabilities, including but not limited to local denial of service vulnerabilities in the client application (caused by file format and network protocol parsing), Android component access exposure, and general application access-related issues\n- General information leakage, including but not limited to web path traversal, system path traversal, directory browsing\n- Reflected XSS (including DOM XSS/Flash XSS)\n- Common CSRF\n- Open redirection vulnerabilities\n- Social media account takeover (for accounts found on community page, or within the header or footer sections of OKX webpage)\n- HTTP Header Manipulation Vulnerability\n\nOther classifications\n=============================\nIDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\nBroken link reports\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page, or within the header or footer sections of OKX webpage, will be considered in scope. \n- Broken links or takeover of social media accounts found in Help / Support / Learn articles are out of scope.\n- Third party broken links found on articles or social media channels will be considered out of scope.\n- All other broken links not mentioned will be considered out of scope.\nWeb3 Wallet Extensions reports\n- The wallet extensions share the same codebase. Therefore, if you identify a vulnerability, submitting a single report for any one wallet is sufficient. Submitting the same vulnerability report for another wallet extension will be considered a duplicate and will not be eligible for separate rewards.\nMobile application reports\n- Submitting a single report for any one of the mobile applications is sufficient. Submitting the same vulnerability report for another mobile application will be considered a duplicate and will not be eligible for separate rewards.\nAdditional notes\n- In addition to identified vulnerabilities, we appreciate you reporting any broken links, potential Denial-of-Service (DoS) vulnerabilities, or leaked credentials you encounter during your research.\n- Please note that we will review these findings on a case-by-case basis to determine if they are eligible for a bounty award.\n\n------\n\nOUT OF SCOPE – WEB / DESKTOP CLIENT VULNERABILITIES\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL / TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector / without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF / DKIM / DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n- DLL hijacking reports that fail to demonstrate how they achieve elevated privileges.\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root / jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation / binary protection / root (jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs / request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded / recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity / Service / Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida / Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n\n------\n\nReward List \n==========\nHigh-quality reports (such as complicated attack chains with video PoC) may be awarded an extra bonus. A high-quality report is a thoroughly written vulnerability report that includes (when applicable) a working proof-of-concept, root cause analysis, a suggested fix, and any other relevant information.\n\nKnown issues\n==========\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-08T06:40:14.657Z"},{"id":3747324,"new_policy":"About OKG: \n=========\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets:\n==============\nOKG will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in critical assets capable of causing substantial business disruptions or enabling unauthorized access to OKX funds, OKX web3 wallets with funds or private wallet keys.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- Social media account takeover (for accounts found on community page, or within the header or footer sections of OKX webpage)\n\nIDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\nBroken link reports\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page, or within the header or footer sections of OKX webpage, will be considered in scope. All other broken links are deemed out of scope.\n- Broken links or takeover of social media accounts found in Help/Support/Learn articles are out of scope. \n- Third party broken links found on articles or social media channels will be considered out of scope.\n\nWeb3 Wallet Extensions reports\n- The wallet extensions share the same codebase. Therefore, if you identify a vulnerability, submitting a single report for any one wallet is sufficient. Submitting the same vulnerability report for another wallet extension will be considered a duplicate and will not be eligible for separate rewards.\n\nMobile application reports\n- Submitting a single report for any one of the mobile applications is sufficient. Submitting the same vulnerability report for another mobile application will be considered a duplicate and will not be eligible for separate rewards.\n\nAdditional notes\n- In addition to identified vulnerabilities, we appreciate you reporting any broken links, potential Denial-of-Service (DoS) vulnerabilities, or leaked credentials you encounter during your research.  \n- Please note that we will review these findings on a case-by-case basis to determine if they are eligible for a bounty award.  \n\n------\n\nOUT OF SCOPE – WEB / DESKTOP CLIENT VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device\n- Previously known vulnerable libraries without a working Proof of Concept\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability\n- Missing best practices in SSL/TLS configuration\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated\n- Wordpress related vulnerability\n- DLL hijacking reports that fail to demonstrate how they achieve elevated privileges.\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida / Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n- Reports that bypass rate limiting through changing of IP addresses / Device IDs\n- Address bar / URL / domain spoofing in dApp browser\n\n------\n\nKnown issues\n==========\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-02T10:42:29.150Z"},{"id":3730365,"new_policy":"About OKG: \n=========\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets:\n==============\nOKG will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in critical assets capable of causing substantial business disruptions or enabling unauthorized access to OKX funds, OKX web3 wallets with funds or private wallet keys.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover (for accounts found on community page, or within the header or footer sections of OKX)\n\nIDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\nBroken link reports\nOKX:\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page, or within the header or footer sections of OKX, will be considered in scope. All other broken links are deemed out of scope.\n- Broken links or takeover of social media accounts found in Help/Support/Learn articles are out of scope. \n- Third party broken links found on articles or social media channels will be considered out of scope.\n\nOKCOIN:\n- Articles from the past month, as of the report submission date, are considered in scope. Any articles older than this will be deemed out of scope.\n\nAdditional notes\n- In addition to identified vulnerabilities, we appreciate you reporting any broken links, potential Denial-of-Service (DoS) vulnerabilities, or leaked credentials you encounter during your research.  \n- Please note that we will review these findings on a case-by-case basis to determine if they are eligible for a bounty award.  \n\n------\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device\n- Previously known vulnerable libraries without a working Proof of Concept\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability\n- Missing best practices in SSL/TLS configuration\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida / Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\n------\n\n\nKnown issues\n==========\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-21T07:40:25.934Z"},{"id":3726123,"new_policy":"About OKG: \n=========\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets:\n==============\nOKG will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in critical assets capable of causing substantial business disruptions or enabling unauthorized access to OKX funds, OKX web3 wallets with funds or private wallet keys.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover (for accounts found on community page, or within the header or footer sections of OKX)\n\nIDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\nBroken link reports\nOKX:\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page, or within the header or footer sections of OKX, will be considered in scope. All other broken links are deemed out of scope.\n- Broken links or takeover of social media accounts found in Help/Support/Learn articles are out of scope. \n- Third party broken links found on articles or social media channels will be considered out of scope.\n\nOKCOIN:\n- Articles from the past month, as of the report submission date, are considered in scope. Any articles older than this will be deemed out of scope.\n\n------\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device\n- Previously known vulnerable libraries without a working Proof of Concept\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability\n- Missing best practices in SSL/TLS configuration\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida / Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\n------\n\n\nKnown issues\n==========\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-15T06:07:47.013Z"},{"id":3724356,"new_policy":"About OKG: \n=========\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets:\n==============\nOKG will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- Provide detailed but to-the-point reproduction steps\n- Please submit a working video proof of concept (PoC) upon request. Failure to provide a complete video PoC after we have asked for it may result in a reduction of the reward for the report. Additionally, all reports must be clearly written and straightforward. We reserve the right to reject any submissions that are vague or not directly to the point.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your HackerOne address (in case of violation, no bounty will be awarded)\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in critical assets capable of causing substantial business disruptions or enabling unauthorized access to OKX funds, OKX web3 wallets with funds or private wallet keys.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover (for accounts found on community page, or within the header or footer sections of OKX)\n\nBroken link reports\nOKX\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page, or within the header or footer sections of OKX, will be considered in scope. All other broken links are deemed out of scope.\n- Broken links or takeover of social media accounts found in Help/Support/Learn articles are out of scope. \n- Third party broken links found on articles or social media channels will be considered out of scope.\nOKCoin\n- Articles from the past month, as of the report submission date, are considered in scope. Any articles older than this will be deemed out of scope.\n\nIDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device\n- Previously known vulnerable libraries without a working Proof of Concept\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability\n- Missing best practices in SSL/TLS configuration\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\n------\n\n\nKnown issues\n==========\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-29T08:51:12.434Z"},{"id":3724010,"new_policy":"About OKG: \n=========\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets:\n==============\nOKG will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your hackerone address (in case of violation, no bounty will be awarded)\n- Provide detailed but to-the-point reproduction steps\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in critical assets capable of causing substantial business disruptions or enabling unauthorized access to OKX funds, OKX web3 wallets with funds or private wallet keys.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover (for accounts found on community page). \n\nBroken link reports\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page or in the header/footer will be considered.\n- Broken links or takeover of social media accounts found in Help/Support/Learn articles are not eligible for bounties but are appreciated.\n\nDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\n------\n\n\nKnown issues\n==========\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-23T01:02:24.527Z"},{"id":3719694,"new_policy":"About OKG: \n=========\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets:\n==============\nOKG will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your hackerone address (in case of violation, no bounty will be awarded)\n- Provide detailed but to-the-point reproduction steps\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in critical assets capable of causing substantial business disruptions or enabling unauthorized access to OKX funds, OKX web3 wallets with funds or private wallet keys.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover (for accounts found on community page). \n\nBroken link reports\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page or in the header/footer will be considered.\n- Broken links or takeover of social media accounts found in Help/Support/Learn articles are not eligible for bounties but are appreciated.\n\n------\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\nNotes about IDOR Vulnerabilities\nResearchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\nKnown issues\n==========\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-20T02:30:58.451Z"},{"id":3719693,"new_policy":"About OKG: \n=========\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions, including Mainland China, Hong Kong, the U.S., Europe, Singapore, and Japan. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets:\n==============\nOKG will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your hackerone address (in case of violation, no bounty will be awarded)\n- Provide detailed but to-the-point reproduction steps\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in critical assets capable of causing substantial business disruptions or enabling unauthorized access to OKX funds, OKX web3 wallets with funds or private wallet keys.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover (for accounts found on community page). \n\nBroken link reports\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page or in the header/footer will be considered.\n- Broken links or takeover of social media accounts found in Help/Support/Learn articles are not eligible for bounties but are appreciated.\n\n------\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\nNotes about IDOR Vulnerabilities\nResearchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\nKnown issues\n==========\nPlease note that the OKG Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKG and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-20T02:24:34.391Z"},{"id":3719692,"new_policy":"About OKG: \n=========\nOKG Technology Holdings Limited is a leading innovator in the blockchain sector, dedicated to the research, development, and commercial application of blockchain technology. Founded in 2013, the company has emerged as a global blockchain service provider with a presence in over 10 countries and regions, including Mainland China, Hong Kong, the U.S., Europe, Singapore, and Japan. OKG's commitment to innovation is evidenced by its state-of-the-art products.\n\nResponse Targets:\n==============\nOKG will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your hackerone address (in case of violation, no bounty will be awarded)\n- Provide detailed but to-the-point reproduction steps\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in critical assets capable of causing substantial business disruptions or enabling unauthorized access to OKX wallets with funds or private wallet keys.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover (for accounts found on community page). \n\nBroken link reports\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page or in the header/footer will be considered.\n- Broken links or takeover of social media accounts found in Help/Support/Learn articles are not eligible for bounties but are appreciated.\n\n------\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\nNotes about IDOR Vulnerabilities\nResearchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\nKnown issues\n==========\nPlease note that the OKX Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKX and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-20T02:03:35.463Z"},{"id":3710809,"new_policy":"About OKX: \n=========\nFounded in 2017, OKX is one of the world’s leading cryptocurrency spot and derivatives exchanges. OKX innovatively adopted blockchain technology to reshape the financial ecosystem by offering some of the most diverse and sophisticated products, solutions, and trading tools on the market. Trusted by more than 20 million users in over 180 regions globally, OKX strives to provide an engaging platform that empowers every individual to explore the world of crypto. \n\nIn addition to its world-class DeFi exchange, OKX serves its users with OKX Insights, a research arm that is at the cutting edge of the latest trends in the cryptocurrency industry. With its extensive range of crypto products and services, and unwavering commitment to innovation, OKX’s vision is a world of financial access backed by blockchain and the power of decentralized finance.\n\nResponse Targets:\n==============\nOKX will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs.\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your hackerone address (in case of violation, no bounty will be awarded)\n- Provide detailed but to-the-point reproduction steps\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in essential assets that have the potential to result in significant business disturbances or unauthorized entry to OKX wallets, funds, or private keys of wallets.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover (for accounts found on community page). \n\nBroken link reports\n- Broken links that cannot be exploited or do not present a security risk may be excluded, and the reward amount could be adjusted accordingly.\n- Only broken links related to OKX found on the community page or in the header/footer will be considered.\n- Broken links or takeover of social media accounts found in Help/Support/Learn articles are not eligible for bounties but are appreciated.\n\n------\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\nNotes about IDOR Vulnerabilities\nResearchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\nKnown issues\n==========\nPlease note that the OKX Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKX and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-16T07:21:07.232Z"},{"id":3707447,"new_policy":"About OKX: \n=========\nFounded in 2017, OKX is one of the world’s leading cryptocurrency spot and derivatives exchanges. OKX innovatively adopted blockchain technology to reshape the financial ecosystem by offering some of the most diverse and sophisticated products, solutions, and trading tools on the market. Trusted by more than 20 million users in over 180 regions globally, OKX strives to provide an engaging platform that empowers every individual to explore the world of crypto. \n\nIn addition to its world-class DeFi exchange, OKX serves its users with OKX Insights, a research arm that is at the cutting edge of the latest trends in the cryptocurrency industry. With its extensive range of crypto products and services, and unwavering commitment to innovation, OKX’s vision is a world of financial access backed by blockchain and the power of decentralized finance.\n\nResponse Targets:\n==============\nOKX will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your hackerone address (in case of violation, no bounty will be awarded)\n- Provide detailed but to-the-point reproduction steps\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in essential assets that have the potential to result in significant business disturbances or unauthorized entry to OKX wallets, funds, or private keys of wallets.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover\n\nBroken link reports\n- Broken links that cannot be taken over or do not pose a security risk may not be included, or the reward amount may be reduced. \n- Only OKX related broken links will be accepted. \n\n------\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\nNotes about IDOR Vulnerabilities\nResearchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\nKnown issues\n==========\nPlease note that the OKX Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKX and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-23T02:22:39.684Z"},{"id":3707446,"new_policy":"About OKX: \n=========\nFounded in 2017, OKX is one of the world’s leading cryptocurrency spot and derivatives exchanges. OKX innovatively adopted blockchain technology to reshape the financial ecosystem by offering some of the most diverse and sophisticated products, solutions, and trading tools on the market. Trusted by more than 20 million users in over 180 regions globally, OKX strives to provide an engaging platform that empowers every individual to explore the world of crypto. \n\nIn addition to its world-class DeFi exchange, OKX serves its users with OKX Insights, a research arm that is at the cutting edge of the latest trends in the cryptocurrency industry. With its extensive range of crypto products and services, and unwavering commitment to innovation, OKX’s vision is a world of financial access backed by blockchain and the power of decentralized finance.\n\nResponse Targets:\n==============\nOKX will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your hackerone address (in case of violation, no bounty will be awarded)\n- Provide detailed but to-the-point reproduction steps\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in essential assets that have the potential to result in significant business disturbances or unauthorized entry to OKX wallets, funds, or private keys of wallets.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover\n\nBroken link reports\n- Broken links that cannot be taken over or do not pose a security risk may not be included, or the reward amount may be reduced. \n\n------\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\nNotes about IDOR Vulnerabilities\nResearchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\nKnown issues\n==========\nPlease note that the OKX Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKX and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-23T02:22:14.390Z"},{"id":3706179,"new_policy":"About OKX: \n=========\nFounded in 2017, OKX is one of the world’s leading cryptocurrency spot and derivatives exchanges. OKX innovatively adopted blockchain technology to reshape the financial ecosystem by offering some of the most diverse and sophisticated products, solutions, and trading tools on the market. Trusted by more than 20 million users in over 180 regions globally, OKX strives to provide an engaging platform that empowers every individual to explore the world of crypto. \n\nIn addition to its world-class DeFi exchange, OKX serves its users with OKX Insights, a research arm that is at the cutting edge of the latest trends in the cryptocurrency industry. With its extensive range of crypto products and services, and unwavering commitment to innovation, OKX’s vision is a world of financial access backed by blockchain and the power of decentralized finance.\n\nResponse Targets:\n==============\nOKX will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your hackerone address (in case of violation, no bounty will be awarded)\n- Provide detailed but to-the-point reproduction steps\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in essential assets that have the potential to result in significant business disturbances or unauthorized entry to OKX wallets, funds, or private keys of wallets.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover\n\nBroken link reports\n- Broken links that cannot be taken over or do not pose a security risk may not be included, or the reward amount may be reduced. ($50)\n\n------\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\nNotes about IDOR Vulnerabilities\nResearchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\nKnown issues\n==========\nPlease note that the OKX Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKX and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-31T07:25:23.120Z"},{"id":3705684,"new_policy":"About OKX: \n=========\nFounded in 2017, OKX is one of the world’s leading cryptocurrency spot and derivatives exchanges. OKX innovatively adopted blockchain technology to reshape the financial ecosystem by offering some of the most diverse and sophisticated products, solutions, and trading tools on the market. Trusted by more than 20 million users in over 180 regions globally, OKX strives to provide an engaging platform that empowers every individual to explore the world of crypto. \n\nIn addition to its world-class DeFi exchange, OKX serves its users with OKX Insights, a research arm that is at the cutting edge of the latest trends in the cryptocurrency industry. With its extensive range of crypto products and services, and unwavering commitment to innovation, OKX’s vision is a world of financial access backed by blockchain and the power of decentralized finance.\n\nResponse Targets:\n==============\nOKX will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your hackerone address (in case of violation, no bounty will be awarded)\n- Provide detailed but to-the-point reproduction steps\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in essential assets that have the potential to result in significant business disturbances or unauthorized entry to OKX wallets, funds, or private keys of wallets.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover\n\nBroken link reports\n- Broken links that cannot be taken over or do not pose a security risk may not be included, or the reward amount may be reduced. ($10-50)\n\n------\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\nNotes about IDOR Vulnerabilities\nResearchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\nKnown issues\n==========\nPlease note that the OKX Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n==========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKX and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-24T09:39:38.500Z"},{"id":3705501,"new_policy":"About OKX: \n=========\nFounded in 2017, OKX is one of the world’s leading cryptocurrency spot and derivatives exchanges. OKX innovatively adopted blockchain technology to reshape the financial ecosystem by offering some of the most diverse and sophisticated products, solutions, and trading tools on the market. Trusted by more than 20 million users in over 180 regions globally, OKX strives to provide an engaging platform that empowers every individual to explore the world of crypto. \n\nIn addition to its world-class DeFi exchange, OKX serves its users with OKX Insights, a research arm that is at the cutting edge of the latest trends in the cryptocurrency industry. With its extensive range of crypto products and services, and unwavering commitment to innovation, OKX’s vision is a world of financial access backed by blockchain and the power of decentralized finance.\n\nResponse Targets:\n==============\nOKX will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your hackerone address (in case of violation, no bounty will be awarded)\n- Provide detailed but to-the-point reproduction steps\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in essential assets that have the potential to result in significant business disturbances or unauthorized entry to OKX wallets, funds, or private keys of wallets.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover\n\n------\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\nNotes about IDOR Vulnerabilities\nResearchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\nKnown issues\n==========\nPlease note that the OKX Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n=========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKX and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-20T08:28:41.374Z"},{"id":3700700,"new_policy":"About OKX: \n=========\nFounded in 2017, OKX is one of the world’s leading cryptocurrency spot and derivatives exchanges. OKX innovatively adopted blockchain technology to reshape the financial ecosystem by offering some of the most diverse and sophisticated products, solutions, and trading tools on the market. Trusted by more than 20 million users in over 180 regions globally, OKX strives to provide an engaging platform that empowers every individual to explore the world of crypto. \n\nIn addition to its world-class DeFi exchange, OKX serves its users with OKX Insights, a research arm that is at the cutting edge of the latest trends in the cryptocurrency industry. With its extensive range of crypto products and services, and unwavering commitment to innovation, OKX’s vision is a world of financial access backed by blockchain and the power of decentralized finance.\n\nResponse Targets:\n==============\nOKX will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your hackerone address (in case of violation, no bounty will be awarded)\n- Provide detailed but to-the-point reproduction steps\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in essential assets that have the potential to result in significant business disturbances or unauthorized entry to OKX wallets, funds, or private keys of wallets.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKT Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover\n\n------\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- (exploiting these for sensitive data leakage is commonly in scope)\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a\n- Jailbroken environment\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\nNotes about IDOR Vulnerabilities\nResearchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\nKnown issues\n==========\nPlease note that the OKX Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n=========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKX and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-31T08:30:46.858Z"},{"id":3700699,"new_policy":"About OKX: \n=========\nFounded in 2017, OKX is one of the world’s leading cryptocurrency spot and derivatives exchanges. OKX innovatively adopted blockchain technology to reshape the financial ecosystem by offering some of the most diverse and sophisticated products, solutions, and trading tools on the market. Trusted by more than 20 million users in over 180 regions globally, OKX strives to provide an engaging platform that empowers every individual to explore the world of crypto. \n\nIn addition to its world-class DeFi exchange, OKX serves its users with OKX Insights, a research arm that is at the cutting edge of the latest trends in the cryptocurrency industry. With its extensive range of crypto products and services, and unwavering commitment to innovation, OKX’s vision is a world of financial access backed by blockchain and the power of decentralized finance.\n\nResponse Targets:\n==============\nOKX will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your hackerone address (in case of violation, no bounty will be awarded)\n- Provide detailed but to-the-point reproduction steps\n\n------\n  \nVulnerability Classification\n=============================\nExtreme\n- Vulnerabilities in essential assets that have the potential to result in significant business disturbances or unauthorized entry to OKX wallets, funds, or private keys of wallets.\n\nCritical\n- Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms.\n- Remote code execution on any OKC Chain\n- Manipulation of blockchain validator, or multiple machines on the intranet\n- Gaining control of essential backend super administrator privileges, potentially resulting in significant consequences, like widespread exposure of critical business information\n- Exploitation of staking rewards above 10 million and also cause financial loss\n\nHigh\n- Vulnerabilities that could disrupt Blockchain validator and its performances\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information\n- Substantial leakage of source codes\n- Indications of any insider trading or money laundering\n\nMedium\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Subdomain takeover\n\nLow\n- Vulnerabilities that could affect OKC related nodes on stability or availability. \n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SSRF with no echo nor successful use\n- Social media account takeover\n\n------\n\nOUT OF SCOPE – WEB VULNERABILITIES\n==================================\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n  - To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n- (exploiting these for sensitive data leakage is commonly in scope)\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a\n- Jailbroken environment\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n\nNotes about IDOR Vulnerabilities\nResearchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\nKnown issues\n==========\nPlease note that the OKX Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n=========\nAny activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKX and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-31T08:26:12.061Z"},{"id":3684696,"new_policy":"About OKX: \n=========\nFounded in 2017, OKX is one of the world’s leading cryptocurrency spot and derivatives exchanges. OKX innovatively adopted blockchain technology to reshape the financial ecosystem by offering some of the most diverse and sophisticated products, solutions, and trading tools on the market. Trusted by more than 20 million users in over 180 regions globally, OKX strives to provide an engaging platform that empowers every individual to explore the world of crypto. \n\nIn addition to its world-class DeFi exchange, OKX serves its users with OKX Insights, a research arm that is at the cutting edge of the latest trends in the cryptocurrency industry. With its extensive range of crypto products and services, and unwavering commitment to innovation, OKX’s vision is a world of financial access backed by blockchain and the power of decentralized finance.\n\nResponse Targets:\n==============\nOKX will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 3 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\nProgram Rules:\n==============\n- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic\n- Make every effort not to damage or restrict the availability of products, services, or infrastructure\n- Avoid compromising any personal data, interruption, or degradation of any service\n- Don’t access or modify other user data, localize all tests to your accounts\n- Perform testing only within the scope\n- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam\n- Don’t spam forms or account creation flows using automated scanners\n- In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.\n- Don’t break any law and stay within the defined scope\n- Any details of found vulnerabilities must not be communicated to anyone who is not a HackerOne Team or an authorized employee of this Company without appropriate permission\n\nDisclosure Guidelines:\n=================\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization\nNo vulnerability disclosure, including partial, is allowed for the moment.\nPlease do not publish/discuss bugs\n\nEligibility and Coordinated Disclosure:\n=============================\nWe are happy to thank everyone who submits valid reports, which help us improve security. However, only those who meet the following eligibility requirements may receive a monetary reward:\n- You must be the first vulnerability reporter.\n- The vulnerability must be a qualifying vulnerability\n- Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackerone.com\n- You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.\n- You must not be a former or current employee of ours or one of its contractors.\n- Only use your hackerone address (in case of violation, no bounty will be awarded)\n- Provide detailed but to-the-point reproduction steps\n\n------\n\nTier 1  (Crypto related vulnerability) \n===========================\nP4:\n---\n- A vulnerability that could compromise the safety of any user's or validator's funds or fees. \n- Subversion of the DEX trading logic\n- A vulnerability that could severely undermine the token economy or trading. \n- Key generation, encryption, signing, and verification-related security vulnerabilities. \n- The malleability of transactions or spoofing of transaction origins. \n- Merkle proof vulnerability\n- Manipulation of blockchain validator \n- Remote code execution on any OKC Chain\n- Vulnerabilities that could disrupt the OKC chain\n\nP3:\n---\n- Denial of service of any OKC chain\n- Vulnerabilities that could disrupt Blockchain validator and its performances. \n- Vulnerabilities that cause OKX to be unable to respond to users' queries on orders, transactions, balance etc. \n- Access to disable channels of cross-chain bridge. \n- Denial of service of cross-chain bridge. \n\nP2:\n---\n- Denial of service of any OKC chain\n\nP1:\n---\n- Vulnerabilities that could affect OKC related node on stability or availability. \n\n------\n\nTier 2 (Web/Mobile application vulnerability)\n=================================\nP4: \n---\n- Serious vulnerabilities refer to those occurring in the core system business system (i.e. core control system, domain control, business distribution system, and fortress machine, which can manage a large number of systems) that can cause a large-scale impact, obtain a large number of (depending on the actual situation) business system authorities, access to the administrator rights and control the core system.\n- Manipulation of multiple machines in the Intranet\n- Capture of core backend super administrator rights, which may cause major impacts, such as large-scale leakage of core business data.\n\nP3:\n---\n- Capture of system permission (getshell, command execution, etc)\n- SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate)\n- Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet\n- Random file access\n- XXE loophole that can capture random information\n- Unauthorized operation with fund, bypassing payment logic (successfully exploited)\n- Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting\n- Other vulnerabilities that can cause large-scale impact to users, including but not limited to self-propagating stored XSS on important webpages, stored XSS that can obtain and successfully use administrator authentication information\n- Substantial leakage of source codes\n- Service down due to application or system upgrades, with significant and wide-ranging impact\n\nP2:\n---\n- Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses.\n- Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations.\n- Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval\n- Leakage of locally-stored sensitive encryption data (with effective use)\n- Identity verification interrupted, such as when verifying 2FA\n- Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history\n- Obvious errors in descriptive content resulting in misguidance\n\nP1:\n---\n- Local denial-of-service vulnerabilities, including but not limited to local denial-of-service vulnerabilities on the client (caused by parsing of file formats and network protocols), and issues related to Android component access exposure and general application access\n- General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc.\n- Reflected XSS (including DOM XSS / Flash XSS)\n- Normal CSRF\n- URL redirection vulnerabilities\n- SMS bomb\n- Other low-risk vulnerabilities without proof of harm, such as CORS loopholes that cannot obtain sensitive information\n- SSRF with no echo nor successful use\n- When a function or button is unresponsive or fails, and interrupts the expected product flow\n- Inaccurate or ambiguous expressions or use of language in emails or within the product flow\n\n------\n\n#OUT OF SCOPE – WEB VULNERABILITIES\n- When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n- Reports from automated tools or scans\n- False positive SQL Injection\n- To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name\n- Spam vulnerability, mail spoofing, mail bomb, etc.\n- Self-XSS\n- Use of known-vulnerable library or component\n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n- Rate limiting or brute-force issues on non-authentication endpoints\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n- Tabnabbing\n- Open redirect, unless an additional security impact can be demonstrated\n- Issues that require unlikely user interaction\n- Vulnerabilities that are already known (e.g. discovered by an internal team)\n- Best practice reports are not eligible for bounties but are appreciated.\n- Exposure of Google Maps API Key.\n- Wordpress related vulnerability\n\nOUT OF SCOPE – MOBILE VULNERABILITIES\n==================================\n- Attacks requiring physical access to a user's device\n- Vulnerabilities that require root/jailbreak\n- Vulnerabilities requiring extensive user interaction\n- Exposure of non-sensitive data on the device\n- Reports from static analysis of the binary without PoC that impacts business logic\n- Lack of obfuscation/binary protection/root(jailbreak) detection\n- Bypass certificate pinning on rooted devices\n- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries\n- Sensitive data in URLs/request bodies when protected by TLS\n- Path disclosure in binary\n- OAuth \u0026 app secret hard-coded/recoverable in IPA, APK\n- Sensitive information retained as plaintext in the device’s memory\n- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver\n(exploiting these for sensitive data leakage is commonly in scope)\n- Any kind of sensitive data stored in-app private directory\n- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a\n- Jailbroken environment\n- Shared links leaked through the system clipboard\n- Any URIs leaked because a malicious app has permission to view URIs opened.\n- Exposure of API keys with no security impact (Google Maps API keys etc.)\n- Notes about IDOR Vulnerabilities\n- Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced.\n\n------\n\nKnown issues\n==========\nPlease note that the OKX Security Team also actively looks for vulnerabilities across all assets internally. For reported issues that are already known to us, we will close them as duplicates.\nWe seek your kind cooperation to respect our final decision and to refrain from making multiple negotiations once the decision has been made.\n\nSafe Harbor\n=========\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\nThank you for helping keep OKX and our users safe!\n\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-14T08:59:59.659Z"}]