Details

SOEX Bug Bounty Program

Project Overview

SOEX is a cutting-edge social trading platform designed to connect traders, enhance your trading experience, and maximize your earnings through innovative features, next-gen assets and a strong focus on community engagement.

Rewards

Rewards will be provided according to the rules of this bug bounty program as outlined above. At the discretion of Soex, quality, creativity, or novelty of submissions may modify payouts within a given range.

In case of multiple reports about the same issue, Soex will reward the earliest submission, regardless of how the issue was reported.

CVSS standards will be used for vulnerability rating (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator).

Blockchain & Smart Contracts

Severity	Description	Reward
Critical	Critical severity vulnerabilities will have a significant impact on the security of the project, and it is strongly recommended to fix the critical vulnerabilities.	5,000 ~ 10,000 USDC
High	High severity vulnerabilities will affect the normal operation of the project. It is strongly recommended to fix high-risk vulnerabilities.	2,500 ~ 5,000 USDC
Medium	Medium severity vulnerability will affect the operation of the project. It is recommended to fix medium-risk vulnerabilities.	1,000 ~ 2,500 USDC
Low	Low severity vulnerabilities may affect the operation of the project in certain scenarios. It is suggested that the project team should evaluate and consider whether these vulnerabilities need to be fixed.	0 ~ 1,000 USDC

Scope

In Scope

Blockchain
PremiumCVT

Reporting Rules

Rewards or recognition require that the Soex security team can reproduce and verify an issue and that the security impact is clear;
Reproduction steps need to be clear, and may include screenshots, videos, scripts, etc;
Do not conduct social engineering and phishing to people;
Do not leak the details of the vulnerability;
Do not use a scanner for large-scale scanning. If the business system or network becomes unavailable, it will be handled according to relevant laws;
Those who test the vulnerability should try to avoid modifying the page directly, continuing popping up the message box (log is recommended for XSS verification), stealing Cookies, and obtaining aggressive payload such as the user information (for blind XSS testing, please use DNSLog). If you accidentally used a more aggressive payload, please delete it in time;
Vulnerability testing is only limited to PoC (proof of concept), and destructive testing is strictly prohibited. If harms are caused inadvertently during the testing, it should be reported in time. Meanwhile, sensitive operations performed in the test, such as deletion, modification, and other operations, are required to be explained in the report.

Rewards

In case of multiple reports about the same issue, Soex will reward the earliest submission, regardless of how the issue was reported.

Blockchain & Smart Contracts

Severity	Description	Reward
Critical	Critical severity vulnerabilities will have a significant impact on the security of the project, and it is strongly recommended to fix the critical vulnerabilities.	5,000 ~ 10,000 USDC
High	High severity vulnerabilities will affect the normal operation of the project. It is strongly recommended to fix high-risk vulnerabilities.	2,500 ~ 5,000 USDC
Medium	Medium severity vulnerability will affect the operation of the project. It is recommended to fix medium-risk vulnerabilities.	1,000 ~ 2,500 USDC
Low	Low severity vulnerabilities may affect the operation of the project in certain scenarios. It is suggested that the project team should evaluate and consider whether these vulnerabilities need to be fixed.	0 ~ 1,000 USDC

Blockchain

PremiumCVT

Reporting Rules

Rewards or recognition require that the Soex security team can reproduce and verify an issue and that the security impact is clear;

Reproduction steps need to be clear, and may include screenshots, videos, scripts, etc;

Do not conduct social engineering and phishing to people;

Do not leak the details of the vulnerability;

Do not use a scanner for large-scale scanning. If the business system or network becomes unavailable, it will be handled according to relevant laws;

Those who test the vulnerability should try to avoid modifying the page directly, continuing popping up the message box (log is recommended for XSS verification), stealing Cookies, and obtaining aggressive payload such as the user information (for blind XSS testing, please use DNSLog). If you accidentally used a more aggressive payload, please delete it in time;

Vulnerability testing is only limited to PoC (proof of concept), and destructive testing is strictly prohibited. If harms are caused inadvertently during the testing, it should be reported in time. Meanwhile, sensitive operations performed in the test, such as deletion, modification, and other operations, are required to be explained in the report.