1. About us
Founded in Hong Kong in 2016, BitZ is a world-renowned digital asset trading platform that provides professional digital assets and fiat currency trading services to users around the world. Up to now, the cumulative number of registered users has exceeded 1.7 million. And it has occupied 5.41% of the global transaction volume. BitZ brings together blockchain enthusiasts from all over the world. The team members include talents from top international financial institutions, social media, social platforms, and video games, etc. We are constantly exploring and committed to providing integrated digital asset trading services of the highest quality to users around the world. BitZ's mission is to provide the safest and most efficient service.
2. Reward criteria for security vulnerability and test targets
P1 $5,000 - $10,000
P2 $1,500 - $5,000
P3 $500 - $1,500
P4 $200 - $500
Other target information
API Documentation: https://apidoc.bitz.com/cn/
3. Grading Standard
Serious vulnerability P1
Vulnerabilities seriously undermining asset security.
Vulnerabilities seriously undermining asset transactions.
Core system key generation, encryption, decryption, signature, and verification related vulnerabilities.
Intranet controlled by multiple machines.
Acquirement of core system background super administrator rights causing large-scale enterprise core data leakage.
High-risk vulnerability P2
Vulnerabilities allowing direct access to general system permissions, including but not limited to command injection, remote command execution, upload to get WebShell, SQL injection to get system permissions.
Arbitrary reading of server files.
Unauthorized operations involving money or payment logic bypass (requires final success).
Serious design logic flaws and process defects in core business affecting user information security, asset security, etc.
Vulnerabilities in sensitive information leakage, including but not limited to source code leaks, unauthorized or direct access to large amounts of user information.
Medium risk vulnerability P3
The ordinary unauthorized operation, including but not limited to bypassing restrictions on modifying user data, performing user operations, etc.
Leakage of locally stored sensitive authentication key information (requires to be used effectively).
Vulnerabilities needing interactions to be effective, including but not limited to CSRF involving core business.
vulnerabilities of denial of service.
Vulnerabilities caused by the successful blasting of system-sensitive operations such as arbitrary account login and arbitrary password retrieval by verification code logic.
Low-risk vulnerability P4
Vulnerabilities of limited situations, including but not limited to SMS, email bombs, URL jumps.
Minor information disclosure, including but not limited to the path, SVN information disclosure, PHPinfo, exceptions and debugging information with a small number of sensitive fields, local SQL injection, log printing, and configuration, etc.
Vulnerabilities allowing user information acquiring under certain circumstances only, including but not limited to reflective XSS (including DOM type), storage XSS for edge services.
Use difficult vulnerabilities with security risks, including but not limited to Self-XSS that can cause propagation, login interface defects, sensitive operations but with demanding CSRF.
No harm (ignored)
Unsupported non-standard browsers or browser errors.
Vulnerabilities can only be exploited in outdated browsers and platforms.
Unusable vulnerabilities, non-sensitive CSRF (collection, cancel collection, general data modification, etc.), meaningless exception information leakage, intranet IP address/domain name leakage.
Other issues that cannot directly reflect the existence of vulnerabilities, including but not limited to problems that are purely users' guesses.
Missing best practices in SSL / TLS configuration.
Vulnerabilities that cannot be reproduced, including but not limited to vulnerabilities confirmed by SRC staff, internally known, in-progress, or publicly exploited ones
Vulnerability needing root/jailbreak.
Vulnerabilities or weaknesses in third-party applications cooperating with BitZ
Mobile: meaningless printing, etc.
PC side: Crash, etc. without value.
4. General principle
Once you find security issues, please feedback to us as soon as possible. We will make every effort to solve the problem quickly and give corresponding rewards.
Please give us reasonable processing time, please communicate with us before the public report.
For the same threat report, the earliest submitter will be rewarded.
Multiple utilizations caused by the same vulnerability are executed according to the highest level of rewards.
Test your own accounts only.
Please avoid testing that would invade privacy, damage the data, disrupt or reduce our services.
BitZ respects the vulnerability grading standard, but the final decision power belongs to BitZ.
5. Processing flow
The reporter can submit threat information by sending an email ([email protected]).
Within one business day, the security team will confirm the threat intelligence received and continue to follow up on the assessment.
Within three to ten working days, the technical team will handle the problem, give a conclusion and score the information, and communicate with the reporter to confirm and ask the reporter to assist if necessary.
The business department repairs the security issues in the threat intelligence and arranges the update to go online. The repair time depends on the severity of the problem and the difficulty of repair. Generally speaking, it will cost less than 24 hours for serious and high-risk vulnerabilities, 3 work days for medium-risk vulnerabilities and 7 work days for Low-risk vulnerabilities. App issues are limited by the version released, and the repair time is determined based on actual conditions.
The reporter reviews whether the security issue is fixed.
The reporter confirms that the security issue has been fixed. Then the security team will issue the rewards after confirmation.
6. Rewarding method
Reward with the same amount of ETH. ETH wallet address is need once rewards are confirmed.