Products About OTC Desk Blog Help Center
log in sign up

Obiex Bug Bounty Program

Rules of Engagement and Security Testing Guidelines

It is imperative for us at Obiex to maintain state-of-the-art security, thus keeping our systems and the assets of our customers safe and secure. For this reason, we will take every security report seriously as we assess the risk to our platform and customers.

As with every bug bounty program, we are laying down guidelines which security testers and researchers are expected to follow to successfully participate in the program. We will also describe eligibility of vulnerabilities and reward categories.

By participating in the Obiex bug bounty program, you are agreeing to adhere to our guidelines and Code of Conduct.

Guidelines

We expect all program participants to adhere to the following guidelines.

Submissions 📁

Only submissions containing a working Proof of Concept (PoC), which lays out the step-by-step process to exploit the related vulnerability or chain of vulnerabilities, will be eligible for rewards.

Although we are happy to work with the global pool of security researchers, we retain the discretion to determine if a submission sufficiently meets our risk assessment and is qualified for a monetary reward.

All submissions should be made to [email protected]. We aim to process each submission and respond within 7 calendar days. Please note that submissions without accompanying evidence and detailed PoCs may be delayed during triage.

Scope 🚧

Endpoints on *.obiex.finance are in scope.

We accept submissions for vulnerabilities discovered in the Obiex Web, Android, and iOS applications.

Any Obiex asset or domain not listed in scope is out of scope.

Types of Vulnerabilities ⚠

Examples of vulnerabilities we are looking for include those that demonstrate:

  • Arbitrary remote code execution.
  • Unrestricted filesystem access.
  • Unrestricted database access.
  • Unauthorised transfer of customer crypto assets.
  • Authentication bypass.
  • Customer account takeover.

We do not encourage the following as part of your tests:

  • Social engineering on our staff or customers
  • Deletion of customer data (other than data created during your tests)
  • Denial of service (DoS) or distributed denial of service (DDoS) attacks on our applications and infrastructure

Rewards 💸

The tiers are based on the severity of the discovered vulnerability and overall impact to our business operations. Please note that we do not get our criticality ratings from the CVSS score bands, they are rather obtained following internal risk assessments.

Up to 1,000 USD

Vulnerabilities that could lead to significant financial or crypto asset loss, system compromise, or data loss, typically resulting from remote arbitrary code execution, unrestricted filesystem access, or unrestricted database access.

Up to 300 USDT

Vulnerabilities that could lead to unauthorised access to customer account information, transfer of customer crypto assets, typically resulting from authentication bypass or privilege escalation.

Up to 100 USDT

 Vulnerabilities that affect a single component or security control, and may not wholly lead to significant financial loss to the business.

Code of Conduct 📜

Our Code of Conduct applies to security researchers and customers who choose to participate in this bug bounty program, and will ensure that we interact in a professional manner.

We expect participants to:

  • Behave professionally and be respectful in all interactions with us.
  • Be ethical and report all findings to us timely.
  • Make submissions without conditions, demands or threats.
  • Be responsive and cooperative if we request any more information about findings.
  • Not disclose any vulnerability or sensitive customer information discovered with third parties or to the public.
  • Limit the amount of data accessed to the minimum required to demonstrate impact if a vulnerability grants unrestricted access to protected data.
  • Adhere to presiding data protection regulations while handling any discovered sensitive customer data.
  • Destroy any sensitive customer or Obiex-related data discovered after the vulnerability submission is closed.

Rights

By participating in this program, you are agreeing to give us the right to use, modify, and distribute any findings without further rewards beyond that which is stated in the Rewards section, and which might have been paid out before our use.

products

company

learn

download app

google play link image app store link image

Copyright © 2024 Obiex Africa Ltd. All rights reserved

facebook icon twitter icon tiktok icon instagram icon youtube icon telegram icon linkedin icon