Upbit Bug Bounty Program

Upbit is the most trusted global standard digital asset exchange. Dunamu considers customer personal information and security as its most important values. Through the bug bounty program, we aim to identify weaknesses with the help of experts and do our best to protect customer assets.

Program Introduction

The Upbit bug bounty program is designed to identify vulnerabilities in Dunamu's main services early and provide safe services to users. With the help of white hat hackers and security experts from around the world, Dunamu quickly identifies and fixes security vulnerabilities in its services, and encourages contributions by providing appropriate rewards to participating experts, making Dunamu services even more secure.

Scope

The following are within the scope:

• Upbit (upbit.com/*)
• Upbit Global (*.upbit.com)
• https://th.upbit.com
• https://id.upbit.com
• https://sg.upbit.com
• Latest version of Upbit iOS application
• Latest version of Upbit Android application

Vulnerabilities resulting from the use of specific or older library versions will be compensated based on threat and severity considerations.

For more details, refer to the full scope page.

Reporting Guidelines

Reports must include the following:

• Vulnerability summary and detailed description
• Proof-of-Concept code
• Security threats from the vulnerability
• Expected causes and remediation measures

Reports may be excluded from review and bounty payment in the following cases:

• Overly vague or unclear reports
• Vulnerabilities already known to the bug bounty response team

Bounty Rewards

Compensation is provided based on the following severity levels:

The bounty amount is determined after comprehensive review of severity and report specificity. The difficulty-based compensation scale is based on vulnerability classification risk ranges and CWSS (Common Weakness Scoring System), but final determination is at the evaluator's discretion.

Reward Payment Information

• Final bounty amounts are determined after comprehensive review of severity and report specificity.
• If multiple reports are submitted for the same vulnerability, compensation is paid to the person who provided the first clear report.
• Reporters must proceed with implementation verification, and bounties are paid after the reported vulnerability is patched and implementation verification is completed.
• Response Plan:
  • First response: 7 days
  • Triage: 30 days
  • Resolution: Varies by vulnerability
  • Bounty payment: According to PatchDay's payment schedule

Exclusions from Bounty Eligibility

Reports will be excluded from bounty consideration in the following cases:

• Presenting only possibility without proof of vulnerability
• Not the latest patched version
• Reported vulnerability cannot be reproduced at the time of bug report submission
• Vulnerability already reported by another reporter
• Vulnerability already reported to other bug bounty programs or services
• Dunamu or Theori internal awareness of the vulnerability at the time of report (timeline and circumstances will be explained upon request)
• Minimal impact or no practical reason for an attacker to exploit the vulnerability
• Obtaining sensitive information through unnecessary actions beyond vulnerability proof
• Excessive user involvement or interaction required, or very low attack feasibility due to prerequisites
• Social engineering attacks
• Assuming disclosure of secret keys or similar sensitive data
• Other unrealistic scenarios
• Other cases not typically recognized in bug bounty programs

Valid Vulnerability Examples

• Authentication bypass and account takeover
• Unauthorized access to content
• Personal information disclosure due to product defects
• Remote Code Execution (RCE)
• Client-side code execution (XSS)
• Other security defects (SQL Injection, CSRF, etc.)
• CSRF is only valid if it leads to account takeover, personal information disclosure, etc.

Invalid Vulnerability Examples

• Vulnerabilities that only work on rooted devices
• Voluntary DRM removal from user-owned content
• Software version information disclosure
• Attacks requiring physical access to user devices or MITM attacks
• Denial of Service (DoS) attacks
• CSRF protected by SameSite cookie policy
• Minor Rate limit issues without significant impact
• Open Redirect not leading to session hijacking or personal information disclosure
• Missing security-related headers (Mitigation):
  • X-Frame-Options
  • X-XSS-Protection
  • Content-Security-Policy
• Open Redirect
• Self XSS
• Email / Username enumeration
• Content spoofing, Text injection

Additional Restrictions and Disclosure Policy

• Use of excessive automated tools that could burden the service or creation of dummy data may result in exclusion from bounty consideration. (DoS vulnerability analysis using automated tools is strictly limited.)
• If a reporter discloses vulnerability details externally before they are published through PatchDay, the reporter may be excluded from bounty payment and may face legal penalties.
• Employees of Dunamu or Theori, or those with employment history within the past 12 months, may be excluded from bounty consideration.

Application and Disclosure

• Partial disclosure is available
• VPN is available
• Submission is available after login
• Default report disclosure level: Private
• Reporting can be done at any time during the program
• Program period: 2022.12.13 onwards