27 April 2022
A call to all hackers: Introducing the Exness bug bounty program
Here at Exness, balancing innovation with reliability is a challenge we gladly accept, and we’re always looking for new and interesting ways to take our products and services to the next level.
Now, we want to put our technology and security to the test - and this is where you come in.
We're inviting all hackers, bug hunters and security researchers to peek under the hood of our platforms and apps. That’s right, if you think you can break Exness or find bugs in our platform, we want you to try and - if successful - we’ll reward you with a bounty of up to $10,000.
Here's everything you need to know.
The scope of our bug bounty program, or in other words, the targets we want you to focus on, are bugs and vulnerabilities across the websites, services and apps of Exness Global Limited.
You can learn more about the program’s scope on our profile at HackerOne under the Program Scope section.
However, you can still submit out-of-scope vulnerabilities for our review. If the vulnerability is found to be critical, you’ll get a reward. Just keep in mind that rewards for out-of-scope vulnerabilities are granted on a case-by-case basis.
Bounties can vary depending on problem severity, novelty, exploitation probability, environment, and other factors. Reward decisions are made by the Exness security team for each report. The more serious bugs can earn you as much as $10,000.
Where to submit your bugs
To start bug hunting, first register at HackerOne. Once verified, you can start looking for weaknesses in our system. As soon as you identify a bug, submit your report via HackerOne and our security team will review your findings shortly.
What to include in your report
A technically-sound and detailed bug report typically grants higher bounties. Try to describe the security impact of the vulnerability and include a video reproducing the attack scenario. This is important in cases of critical vulnerabilities such as RCE or SQLi.
Our security team reviews and evaluates reports you submit within a few days. You can expect your bounty within 15 days of it being triaged.
Make sure to go through our program’s details at HackerOne for more information about submitting a report and what to include with your findings.
Remember to play by the rules
Please note that you shouldn’t violate any laws while conducting your research. You must use your own accounts and any penetration testing must be non-destructive. Do not try to gain access to other accounts or clients’ data and personal information.
As part of our commitment to transparency, we’ll publicly disclose any bugs or vulnerabilities you may find. This will help improve your reputation at HackerOne, which will make you eligible for other opportunities and bug bounty programs.
Head over to HackerOne for more information about ethical hacking and vulnerability disclosure.
Can’t beat us? Join us
Looking for something more permanent? Have a look at our vacancies and join us to contribute to a better, more secure Exness from within our ranks.