Details

Disclosure Policy

Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit, written permission of the account holder that you can provide to BitMEX.

Program Rules

Avoid testing on www.bitmex.com; testnet.bitmex.com is typically identical to the production environment, and simplifies testing.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
You must disclose the use of any Artificial Intelligence (AI) or Large Language Models (LLMs), such as ChatGPT, during your vulnerability research.
- Reports with fabricated evidence may result in a ban
- Generated reports by LLMs indicating non-existent vulnerabilities may result in a ban - if you test with AI be sure to verify before submitting.

Instructions:

Hackers will need to register for a BitMEX Testnet account
Once the account is created, verify the email associated
Login twice - this will automatically KYC approve the account on the second login
Start Hacking!

Exclusions

While researching, we'd like to ask you to refrain from engaging in or reporting:

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Network disruption of service (DoS) attacks (i.e. connection floods, HTTP GET floods, etc).
- App-layer DoS testing is permissible as long as the testing is not load or network based.
- As with the rest of the bug bounty program, only test on https://testnet.bitmex.com.
- If you have found a probable DoS vector, we encourage proactively reporting it so we can help you evaluate if it is exploitable.
- App-layer DoS issues are eligible for up to critical severity, at our discretion based on impact and complexity.
DDoS protection bypasses
Social engineering (including phishing) of BitMEX staff or contractors.
Any physical attempts against BitMEX property or data centers.
Bugs in non-standard browsers or browsers not supported by BitMEX.
Clickjacking attacks.
CSRF issues without a working proof-of-concept in a major, current-version browser.
Unauthenticated/logout/login CSRF.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Missing best practices without a working Proof of Concept.
Path disclosure.
Missing CSP headers, X-Frame-Options, Content sniffing, HPKP, etc.
Content injection or XSS that are mitigated by CSP will be treated as a low-severity issue unless a bypass can be found in the policy in a major, current-version browser.
- Bypasses must include a working proof-of-concept to be eligible.
Missing email protections, including DKIM and SPF
Missing DNS protections, e.g. DNSSEC

Additional Program Notes

0-Days will not be rewarded within the first 30 days of release inline to allow for remedial efforts to be undertaken however the first reporter or any report which finds an area we have missed will be rewarded, even if it is within 30 days.
Vulnerabilities in software/infrastructure managed by third parties are not eligible for rewards.
- This includes 'BitMEX data' found on other platforms: we do not accept reports concerning findings on VirusTotal, the internet archive, random credential dumps found in darknet forums, miscellaneous servers in Shodan that are not part of our infrastructure etc

Disclosure Policy

Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit, written permission of the account holder that you can provide to BitMEX.

Program Rules

Avoid testing on www.bitmex.com; testnet.bitmex.com is typically identical to the production environment, and simplifies testing.

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

You must disclose the use of any Artificial Intelligence (AI) or Large Language Models (LLMs), such as ChatGPT, during your vulnerability research.

Reports with fabricated evidence may result in a ban
Generated reports by LLMs indicating non-existent vulnerabilities may result in a ban - if you test with AI be sure to verify before submitting.

Instructions:

Hackers will need to register for a BitMEX Testnet account

Once the account is created, verify the email associated

Start Hacking!

Exclusions

While researching, we'd like to ask you to refrain from engaging in or reporting:

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

Network disruption of service (DoS) attacks (i.e. connection floods, HTTP GET floods, etc).

App-layer DoS testing is permissible as long as the testing is not load or network based.
As with the rest of the bug bounty program, only test on https://testnet.bitmex.com.
If you have found a probable DoS vector, we encourage proactively reporting it so we can help you evaluate if it is exploitable.
App-layer DoS issues are eligible for up to critical severity, at our discretion based on impact and complexity.

DDoS protection bypasses

Social engineering (including phishing) of BitMEX staff or contractors.

Any physical attempts against BitMEX property or data centers.

Bugs in non-standard browsers or browsers not supported by BitMEX.

Clickjacking attacks.

CSRF issues without a working proof-of-concept in a major, current-version browser.

Unauthenticated/logout/login CSRF.

Attacks requiring MITM or physical access to a user's device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Missing best practices in SSL/TLS configuration.

Missing best practices without a working Proof of Concept.

Path disclosure.

Missing CSP headers, X-Frame-Options, Content sniffing, HPKP, etc.

Content injection or XSS that are mitigated by CSP will be treated as a low-severity issue unless a bypass can be found in the policy in a major, current-version browser.

Bypasses must include a working proof-of-concept to be eligible.

Missing email protections, including DKIM and SPF

Missing DNS protections, e.g. DNSSEC

Additional Program Notes

0-Days will not be rewarded within the first 30 days of release inline to allow for remedial efforts to be undertaken however the first reporter or any report which finds an area we have missed will be rewarded, even if it is within 30 days.

Vulnerabilities in software/infrastructure managed by third parties are not eligible for rewards.

This includes 'BitMEX data' found on other platforms: we do not accept reports concerning findings on VirusTotal, the internet archive, random credential dumps found in darknet forums, miscellaneous servers in Shodan that are not part of our infrastructure etc