Obiex Bug Bounty Program
Rules of Engagement and Security Testing Guidelines
It is imperative for us at Obiex to maintain state-of-the-art security, thus keeping our systems and the assets of our customers safe and secure. For this reason, we will take every security report seriously as we assess the risk to our platform and customers.
As with every bug bounty program, we are laying down guidelines which security testers and researchers are expected to follow to successfully participate in the program. We will also describe eligibility of vulnerabilities and reward categories.
By participating in the Obiex bug bounty program, you are agreeing to adhere to our guidelines and Code of Conduct.
Guidelines
We expect all program participants to adhere to the following guidelines.
Submissions 📁
Only submissions containing a working Proof of Concept (PoC), which lays out the step-by-step process to exploit the related vulnerability or chain of vulnerabilities, will be eligible for rewards.
Although we are happy to work with the global pool of security researchers, we retain the discretion to determine if a submission sufficiently meets our risk assessment and is qualified for a monetary reward.
All submissions should be made to [email protected]. We aim to process each submission and respond within 7 calendar days. Please note that submissions without accompanying evidence and detailed PoCs may be delayed during triage.
Scope 🚧
Endpoints on *.obiex.finance are in scope.
We accept submissions for vulnerabilities discovered in the Obiex Web, Android, and iOS applications.
Any Obiex asset or domain not listed in scope is out of scope.
Types of Vulnerabilities ⚠
Examples of vulnerabilities we are looking for include those that demonstrate:
We do not encourage the following as part of your tests:
Rewards 💸
The tiers are based on the severity of the discovered vulnerability and overall impact to our business operations. Please note that we do not get our criticality ratings from the CVSS score bands, they are rather obtained following internal risk assessments.
Up to 1,000 USD
Vulnerabilities that could lead to significant financial or crypto asset loss, system compromise, or data loss, typically resulting from remote arbitrary code execution, unrestricted filesystem access, or unrestricted database access.
Up to 300 USDT
Vulnerabilities that could lead to unauthorised access to customer account information, transfer of customer crypto assets, typically resulting from authentication bypass or privilege escalation.
Up to 100 USDT
Vulnerabilities that affect a single component or security control, and may not wholly lead to significant financial loss to the business.
Code of Conduct 📜
Our Code of Conduct applies to security researchers and customers who choose to participate in this bug bounty program, and will ensure that we interact in a professional manner.
We expect participants to:
Rights
By participating in this program, you are agreeing to give us the right to use, modify, and distribute any findings without further rewards beyond that which is stated in the Rewards section, and which might have been paid out before our use.