Program guidelines

Program highlights

Gold Standard Safe HarborAdheres to Gold Standard Safe Harbor. [https://docs.hackerone.com/en/articles/8494525-gold-standard-safe-harbor-statement](

)

Platform StandardsFully compliant with Platform Standards. [https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards#h_e01bc643a8](

)

Top Response EfficiencyThis program's response efficiency is above 90%. [https://docs.hackerone.com/en/articles/8490880-response-target-indicators](

)

Managed by HackerOneCollaboration EnabledIncludes Retesting

14 hours Average time to first response

22 hours Average time to triage

N/A Average time to bounty

22 hours Average time from submission to bounty

N/A Average time to resolution

Rewards summary

Last updated on January 20, 2025. [/bumba_bbp/bounty_table_versions](View changes

)

Each severity lists the 90-day average bounty and the percentage of total resolved reports, if applicable.

Low40% submissions

Medium40% submissions

High0% submissions

Critical20% submissions

Low40% submissions

Medium40% submissions

High0% submissions

Critical20% submissions

$50–$100

$100–$500

$500–$1,000

$1,000–$2,000

If the Report does not include a valid Proof-of-Concept / How to Reproduce the Bug, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly.

The specific amount of the bug will vary according to: • The effect of the bug. • The cause of the bug. • Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution. • Instructions for reproducing the bugs are critical for ensuring a fair and adequate reward

Please note these are general guidelines, and reward decisions are up to the discretion of Bumba.

No bounties will be awarded for vulnerabilities already flagged by other researchers, or already being internally actioned by Bumba staff.

Scope exclusions

Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more

)Category Exclusion details

Overview

Last updated on April 29, 2025. [/bumba_bbp/policy_versions](View changes

)

Bumba.global is committed to security and recognizes the importance of security researchers in keeping the community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page. Note: This program is for the disclosure of software security vulnerabilities only. The following bug classification serves as a guideline for assessing potential payouts. Please note that while this chart provides a general framework, actual payouts may vary based on the following factors: • the monetary implications and risk exposures • downtimes and disrupted functionality • clarity of the report and the ability to recreate the bug from the detailed step by step instructions Bumba reserves the right to update this classification at any time.

Vulnerability Classification

Critical

• Vulnerabilities in critical assets capable of causing substantial business disruptions or enabling unauthorized access to Bumba funds, Bumba web3 wallets with funds or private wallet keys. • Vulnerabilities that might jeopardise the security of funds or fees belonging to users or validators, or substantially weaken the token economy or trading mechanisms. • Vulnerabilities that could influence market swings via APIs • Abuse of staking rewards over 10M • Proof of insider trading • Large scale money laundering

High

• SQL injection to system (backend loophole reports would be downrated, while submission in pack uprated if appropriate) • Unauthorized access to sensitive data, including but not limited to bypassing authentication to access the backend, weak backend password, and SSRF that obtains considerable sensitive information from the intranet • Unauthorized operation with fund, bypassing payment logic (successfully exploited) • Serious logical design and process loopholes, including but not limited to loopholes that allow random user login and mass modification of account password, as well as logical loopholes that compromise the company's key business, except for verification code blasting • Other vulnerabilities that can cause large-scale impact on users, including but not limited to self-propagating stored XSS on important webpages • Substantial leakage of source codes • Bypassing Bumba fee structures • A flaw in the system that allows users from a given region to bypass KYC restrictions • 2FA bypass

Medium

• Vulnerabilities that affect users through interactions, including stored XSS on normal webpages and CSRF in core businesses. • Unauthorized operations, including but not limited to bypassing authentication to modify users’ information and modifying users’ configurations. • Logical loopholes in verification code that may make blasting through sensitive operations possible, such as random account login and random password retrieval • Leakage of locally stored sensitive encryption data (with effective use) • Vulnerabilities that hinder trading, deposits and withdrawals, such as failure to cancel or place orders, or incorrect account history • Subdomain takeover

Low

• General information leakage, including but not limited to web path traversal, system path traversal, and directory browsing, etc. • Reflected XSS (including DOM XSS / Flash XSS) • Normal CSRF • URL redirection vulnerabilities • SSRF with no echo nor successful use • Social media account takeover (for accounts found on community page, or within the header or footer sections of OKX)

IDOR Vulnerabilities

• Researchers must be able to prove a feasible way to gain an ID as an attacker and we will not accept reports where IDs are being brute forced. Broken link reports Bumba: • Broken links that cannot be exploited or do not present a security risk are excluded • Only broken links related to Bumba found on the landing page, or within the header or footer sections of Bumba, will be considered in scope. All other broken links are deemed out of scope. • Broken links or takeover of social media accounts found in Help/Support/Learn articles are out of scope. • Third party broken links found on articles or social media channels will be considered out of scope. Please note that we will review these findings on a case-by-case basis to determine if they are eligible for a bounty award.

Program Rules

• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic • Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses, including Denial of Services attacks • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program) • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure • Don’t break any law and stay within the defined scope • Follow and adhere to HackerOne's disclosure guidelines • By submitting a bug, you agree to be bound by the rules • Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities

Report Evaluation

To be deemed valid, a report must demonstrate a software vulnerability in a service provided by Bumba that harms Bumba or Bumba customers. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid. The report should contain screenshots or a video of the entire process for exposing and witnessing the bug. Prerequisites should be defined, and the entire description of the process should allow a smooth reconstruction by a technical member of staff from the Bumba team. A report must also follow all the rules of HackerOne's Code of Conduct found here: https://www.hackerone.com/policies/code-of-conduct along with all rules found on our Coinbase HackerOne page. The report must be in English.

Researcher Eligibility

To participate in the Bug Bounty Program you must: • Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs • Be at least 16 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program • Have permission from your employer to participate (if applicable) • Not be (for the previous 12 months) a Bumba employee or consultant, immediate family member of a Bumba employee, Bumba contractor, or Bumba service provider. • Have a KYC’ed account on the Bumba Platform in your own name • Submissions must include the researcher’s user name used on their Bumba Account • All submissions for bounties to Bumba must be through the HackerOne Portal • Bumba Exchange does not onboard US passport holders. If you are a Hacker with an US passport, please state that early in your report and request a separate KYC journey. Following our internal compliance review, a decision will be made to open your Bumba Exchange account.

Scope

The Bumba Bug Bounty program scope covers all software vulnerabilities in services provided by Bumba. The domain is: https://bumba.global The applications are: https://apps.apple.com/ae/app/bumba-global/id6451416170 https://play.google.com/store/apps/details?id=com.bumba.global.mobile&hl=en_GB

Out of Scope

In addition to all items under Core Ineligible Findings, the following are out of scope: • Use of known-vulnerable library or component • Reports from automated tools or scans, without exploitability demonstration • To avoid submitting a false positive, please ensure that you are able to provide a working PoC that demonstrates the ability to retrieve the current database / current user name • Username enumeration • Exposure of internal IP address or domains • Missing security headers that do not lead to direct exploitation • Exposed passwords that are not Bumba.global’s fault • Vulnerabilities that only affect users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version] • Use of AI/Deepfake technology to bypass KYC or similar scenario • Spamming • Non-security-impacting UX issues • Vulnerabilities or weaknesses in third party applications that integrate with Bumba • Ability to abuse existing banking functionality such as ACH or credit card chargebacks • Publicly available leaked credentials (database dumps) by themselves that are found on the internet are out of scope. If you can leverage our current systems to receive sensitive user information the report will be considered • All known vulnerabilities

Out of Scope – Mobile App Vulnerabilities

• Attacks requiring physical access to another user's device • Vulnerabilities that require root/jailbreak • Exposure of non-sensitive data on the device • Reports from static analysis of the binary without PoC that impacts business logic • Bypass certificate pinning on rooted devices • Scenarios requiring excessive user interaction or tricking users like phishing. • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC) • Sensitive data in URLs/request bodies when protected by TLS • OAuth & app secret hard-coded/recoverable in IPA, APK • Sensitive information retained as plaintext in the device’s memory • Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver • Any kind of sensitive data stored in-app private directory • Runtime hacking exploits using tools like but not limited to Frida / Appmon (exploits only possible in a jailbroken environment) • Shared links leaked through the system clipboard • Any URIs leaked because a malicious app has permission to view URIs opened. • Exposure of API keys with no security impact (Google Maps API keys etc.) • Use of AI/Deepfake technology to bypass KYC or similar scenario • Any CRO cashback gained via a typical purchase, payment or cash advance • Clickjacking/UI redressing with minimal security impact. • Distributed denial of service attacks (DDOS). • DNSSEC Misconfiguration • Require physical connection to the device with developer-level debugging tool including but not limited to ADB.

Disclaimer:

• Bumba reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity • Bumba reserves its right to change, cancel or update its Bug Bounty Policy at any time • By submitting a bug, you agree to be bound by the above rules • KYC is mandatory before submission of any report • As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization • No vulnerability disclosure, including partial, is allowed for the moment. • Please do not publish/discuss bugs • Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards • In addition to identified vulnerabilities, we appreciate you reporting any broken links, potential Denial-of-Service (DoS) vulnerabilities, or leaked credentials you encounter during your research