Dear BitMart Programmers,

Developer feedback goes a long way towards making our products even better. Therefore, we are happy to announce the bug bounty program for BitMart API users. Submit bug reports or request enhancements to API for a chance to receive up to $200 worth of BMX!

Thousands of developers and applications use BitMart API to interact with BitMart data and services programmatically. Because so much of the BitMart functionality is exposed in the API, security has always been a high priority. Please read the policy and rules in their entirety before submitting a report.

The API documents are exposed via the newer v1 interface and the older v2 interface.

Time Period: 7/21/2020 10:00 AM to 7/31/2020 10:00 AM (EDT)

Send your bug report here

• Try to include as much information in your report as you can, including a description of the bug, its potential impact, and steps for reproducing it or proof of concept.
• Please allow 10 business days for us to respond before sending another email.
• Join the BitMart API community.

Terms & Conditions

API Security Issues Categories:

• Access Controls (Authorization and Authentication)
• Rate Limiting
• Input Validation
• Restricting HTTP Methods
• 3rd Party API abuse
• Other application logic errors

Responsible Investigation and Reporting

Responsible investigation and reporting includes, but isn't limited to, the following:

• Don't violate the privacy of other users, destroy data, disrupt our services, etc.
• Only target your own accounts in the process of investigating the bug. Don't target, attempt to access, or otherwise disrupt the accounts of other users.
• Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
• Initially report the bug only to us and not to anyone else.
• Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.

In general, please investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise your actions might be interpreted as an attack rather than an effort to help.

Eligibility

Generally speaking, any bug that poses a significant vulnerability, either to the security of our site or the integrity of our trading system, could be eligible for reward. But it's entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.

Security issues that typically would be eligible (though not necessarily in all cases) include:

• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• Code Injection
• Remote Code Execution
• Privilege Escalation
• Authentication Bypass
• Clickjacking
• Leakage of Sensitive Data

Ineligibility

Things that are not eligible for reward include:

• Vulnerabilities on sites hosted by third parties (support.bitmart.com, etc) unless they lead to a vulnerability on the main website.
• Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
• Vulnerabilities affecting outdated or unpatched browsers.
• Vulnerabilities in third party applications that make use of BitMart's API.
• Bugs that have not been responsibly investigated and reported.
• Bugs already known to us, or already reported by someone else (reward goes to first reporter).
• Issues that aren't reproducible.
• Issues that we can't reasonably be expected to do anything about.

Rewards

• The minimum reward for one eligible bug is 200 BMX.
• The maximum reward for one eligible bug is 10,000 BMX.
• Rewards over the minimum are at our discretion, but we will pay significantly more for particularly serious issues.
• Only one reward per bug.

Thanks for supporting BitMart!

BitMart Team

July 21, 2020