OurbitSubmit a Report

Trade Bitcoin (BTC), Ethereum (ETH), Altcoins, Memecoins, NFTs, DeFi, GameFi & Metaverse tokens securely on Ourbit. Fast transactions & best liquidity.

Policy

Reports(65)

Ourbit Bug Bounty Program

Introduction

Ourbit Global

Founded in 2024, Ourbit Global, with its high performance and mega transaction matching technology, is recognized as a secure and reliable exchange. The team at Ourbit Global are some of the first movers and pioneers of financial and blockchain technology.

In Scopes

Platform | Target |

Android: Play Store | ourbit Google Play |

Android: Official Website | Official Website |

iOS: App Store | ourbit Apple Store |

Web: Domain | *.ourbit.com |

Notice

Our core business domains are "www.ourbit.com" and "futures.ourbit.com". The rewards stated on Bugrap apply only to reports related to these core business domains. For vulnerabilities found outside these domains, rewards will be evaluated and determined by our review team.

Rewards

Rewards will be provided according to the rules of this bug bounty program.

At the discretion of Ourbit, quality, creativity, or novelty of submissions may modify payouts within a given range.

In case of multiple reports about the same issue, the earliest valid submission will be rewarded.

Vulnerabilities will be scored by actual vulnerability impact value as well as CVSS 3.1.

Severity | Description | Reward |

Critical | Critical severity vulnerabilities will have a significant impact on the security of the project, and it is strongly recommended to fix the critical vulnerabilities. | 5,000 ~ 20,000 USDC |

High | High severity vulnerabilities will affect the normal operation of the project. It is strongly recommended to fix high-risk vulnerabilities. | 2,000 ~ 5,000 USDC |

Medium | Medium severity vulnerability will affect the operation of the project. It is recommended to fix medium-risk vulnerabilities. | 200 ~ 1,000 USDC |

Low | Low severity vulnerabilities may affect the operation of the project in certain scenarios. It is suggested that the project team should evaluate and consider whether these vulnerabilities need to be fixed. | 30 ~ 200 USDC |

Severity Levels

🔴 Critical

Vulnerabilities that compromise confidentiality, integrity, or availability of production resources, leading to full system compromise or leakage of highly sensitive data.

Examples include:

• Bulk access to sensitive user information and control of user privileges.

• Control of critical servers.

• Obtaining core system privileges (e.g., RCE, code execution, webshell upload).

• Serious logic flaws (e.g., arbitrary account fund consumption, batch password reset, arbitrary login).

• Authentication flaws leading to arbitrary account compromise.

• Smart contract overflows and race conditions.

🟠 High

Vulnerabilities that compromise production resources or expose sensitive data with limited difficulty.

Examples include:

• Serious logic flaws (e.g., bulk sending of forged messages).

• Unauthorized access to sensitive data (e.g., backend access via bypass, SSRF, weak passwords).

• Gaining system-level privileges on general business systems (e.g., RCE, webshell).

• Large-scale user impact (e.g., stored XSS with propagation, CSRF on critical operations).

🟡 Medium

Vulnerabilities that partially compromise confidentiality, integrity, or availability and are harder to exploit.

Examples include:

• User-interaction vulnerabilities (e.g., stored XSS, reflected XSS, CSRF on critical actions, open redirect).

• Common logic flaws (e.g., SMS bomb).

• Limited-impact vulnerabilities (e.g., unauthorized profile edits).

🟢 Low

Vulnerabilities that pose minimal security impact or are difficult to exploit.

Examples include:

• Minor info leaks (e.g., path disclosure, SVN leaks, local SQLi leaking only DB names).

• Hard-to-exploit SQL injection.

• Self-XSS with propagation potential.

• Low-impact CSRF requiring crafted parameters.

Non-Qualifying Vulnerabilities (Out of Scope)

• Email forgery

• Username brute-force registration

• Self-XSS or HTML injection

• Missing headers (CSP, SRI, CORS, etc.)

• CSRF on non-sensitive operations

• Android allowBackup=true, local DoS

• Middleware version disclosure (e.g., Nginx)

• Non-security functional bugs

• Physical or social engineering attacks against Ourbit employees

• Man-in-the-middle attacks caused by APP certificate pinning

Reporting Rules

• Rewards require reproducible, verifiable issues with clear security impact.

• Reports should include clear reproduction steps (screenshots, videos, scripts).

• Do not conduct social engineering or phishing.

• Do not leak vulnerability details.

• Do not run large-scale automated scans.

• Tests must remain PoC only – destructive testing is prohibited.

• Avoid aggressive payloads (e.g., cookie theft, user data exfiltration). If mistakenly used, remove them immediately.

• Report any accidental harm caused during testing.