Bug Bounty
Together, we improve!
Eligibility
Vulnerabilities that typically would be eligible include,but notlimited to:
1.
Serious vulnerabilities occurring in the production environment
2.
Vulnerabilities that can cause a loss of user funds/assets remotely
3.
Privilege Escalation
4.
Code/SQL Injection
5.
Cross-Site Request Forgery (CSRF)
6.
Cross-Site Scripting (XSS)
7.
Remote Code Execution
8.
Privilege Escalation
9.
Authentication Bypass
Ineligibility
Reports will be closed as out of scope:
Theoretical vulnerabilities without POC
Any Dos/DDoS activities
Invalid or missing SPF records (incomplete or missing SPF/DKIM/DMARC)
Clickjacking/UI with minimal security impact
Phishing
Tab-nabbing
Content spoofing
Cache-control related issues
Exposure of internal IP address or domains
Vulnerabilities affecting outdated or unpatched browsers.
Bugs already known or already reported by someone else (reward goes to first reporter).
Issues that aren't reproducible.
Email/SMS bomb
Actions to avoid
Testing on other users accounts
Automated testing using tools such as scanners
Excessive request attempts that affects the availability of our services to all users
Destruction of data
Disrupt of services
Rewards
Submit suggestions
Get rewarded
The minimum reward for eligible issues is the equivalent of 10 USDT.
In case of many hackers finding the same bug, the first who submitted gets the rewards.
Reward Range:
Bugs
10 - 50 USDT
Low risk
50 - 200 USDT
Medium risk
200 - 500 USDT
High risk
500 - 1000 USDT
How to report a bug?
Send your bug report to security@aax.com.
Include your AAX UID
Please allow 2 business days for respond