Pionex Vulnerability Bounty Program

About the Program

Safety and security are our top priorities at Pionex. To eliminate the system vulnerabilities and further improve Pionex services, Pionex launched the vulnerability bounty program for all security researchers.

We will evaluate all reported security issues based on the security impact on users and assets, and rewards will be paid in USDT once your submission is accepted.

Please be advised that only reports with a detailed description of the vulnerability and complete working proof of concept are qualified for the rewards. For researchers filing reports on severe issues that may have an extreme security impact, Pionex may offer an additional reward.

If you would like to report a security vulnerability, claim your bounty rewards, or have any questions about this program, please feel free to contact us at security@pionex.com, or submit your report at HackenProof.com


Scope

In-scope targets:

· *.pionex.com

· Pionex iOS App

· Pionex Android App

Out-of-scope targets:

· blog.pionex.com


Rewards

Once your submission is accepted, please provide either of the following to receive your reward.

· Your Pionex account, or

· Your USDT wallet address


Level of Severity and Reward Range

P1: 3,000 – 10,000 USDT

  • Vulnerabilities that undermine user assets’ security
  • Vulnerabilities that bypass the applications or procedures under normal trading logic
  • Vulnerabilities that could remotely access essential information and authentication information of users
  • Vulnerabilities related to key generation, encryption, decryption, signing, and verification

P2: 1,000 – 2,000 USDT

  • Vulnerabilities that lead to high-risk information leakage
  • Vulnerabilities with a similar impact as P1 vulnerabilities but are dependent on specific prerequisites

P3: 300 – 1,000 USDT

  • Vulnerabilities that lead to the leakage of part of the users’ info through interaction or financial fraud
  • Vulnerabilities that cause Pionex to be unable to respond to users’ requests from the web or mobile Apps.

P4: 50 – 200 USDT

  • Vulnerabilities due to product design defects that do not affect the security of users’ assets.
  • Vulnerabilities that lead to Denial of Service of core Pionex services

To report an issue without security impact, please contact Pionex Online Support (the Chat icon is located at the bottom right of the Pionex.com homepage).

Reports NOT Qualified for the Rewards

The following issues are not qualified for the reward:

  • Theoretical vulnerabilities without actual proof of the concept
  • Email verification defects, expiration of password reset links, and password complexity policies
  • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
  • Clickjacking/UI redressing with minimal security impact
  • Email or mobile enumeration (e.g., the ability to identify emails through password resetting)
  • Information leakage with minimal security impact (e.g., stack traces, path disclosure, directory listings, logs)
  • Internally known issues, recurring issues, or issues already published 
  • Tabnabbing
  • Self-XSS
  • Vulnerabilities only applicable to outdated versions of browsers or platforms
  • Vulnerabilities related to auto-fill web forms
  • Use of vulnerable libraries already known without actual proof of concept
  • Lack of security flags in cookies
  • Issues related to unsafe SSL/TLS cipher suites or protocol version
  • Content spoofing
  • Issues related to cache control
  • Vulnerabilities exposing internal IP addresses or domains
  • Lack of security headers that do not lead to direct exploitation
  • CSRF with negligible security impact (e.g., added to favorites and subscribed non-vital features)
  • Vulnerabilities that require root/jailbreak
  • Vulnerabilities that require physical access to the device of users
  • Issues with no security impact (e.g., failure to load a web page)

Terms & Conditions

  • Pionex reserves the rights to the final explanation of the bounty program and retains the discretion to terminate or change the rewards or bounty rules.
  • Only the first verified vulnerability report on a specific security issue will be rewarded. Later, similar reports will not be rewarded.
  • The reviewing of the reports will generally take approximately 1-2 weeks. Pionex shall decide the results of any review at its own discretion. 
  • Rewards will be issued to your Pionex account or wallet address in 2 weeks after a vulnerability report is approved and verified. We will let you know by email once the reward is issued.
  • Security researchers conducting or facilitating others to conduct malicious attacks on Pionex will not be qualified for any reward.