Introduction to OKEx Security Response Center (SRC)
The OKEx Security Response Center (SRC) collaborates with users and ethical hackers (“white hats”) to maintain a secure and stable digital asset exchange. We encourage submissions of vulnerabilities related to OKEx’s main platform or mobile app to enhance product safety. Each report is evaluated by our security team, with timely feedback and rewards based on severity.
👉 Explore OKEx’s security initiatives
Vulnerability Submission Process
Preferred Method
- Submit via the OKEx SRC online portal (recommended).
- Do not disclose vulnerabilities publicly before fixes are implemented.
Our Commitment:
– Dedicated security personnel for assessment and follow-up.
– Transparent progress updates.
– Cryptocurrency rewards for valid reports.
Vulnerability Classification & Rewards
OKEx categorizes vulnerabilities into four tiers with corresponding rewards:
Severity Levels
| Level | Criteria | Example Scenarios |
|---|---|---|
| Critical | Core system compromise, mass data leaks | Domain controller takeover, enterprise-wide breaches |
| High | System access, SQL injection, sensitive data exposure | Getshell exploits, payment logic bypass |
| Medium | User-impact flaws requiring interaction | Stored XSS, CSRF in core features |
| Low | Limited impact issues | Reflective XSS, directory listings |
👉 Learn about blockchain security
Detailed Vulnerability Examples
Critical
- Unauthorized admin access to core systems
- Large-scale internal network control
- Systemic data breaches
High
- Successful SQL injection (backend)
- Sensitive data SSRF/XXE exploits
- Payment system bypasses
Medium
- Stored XSS with user interaction
- Account enumeration via verification flaws
- CSRF affecting sensitive operations
Low
- Local denial-of-service crashes
- Non-sensitive path traversals
- URL redirection flaws
Submission Requirements
- Technical Details:
- Vulnerable URL/endpoint (text format)
- Replication steps
-
Proof-of-concept payload
-
Validation Standards:
- SQL injections require demonstrated data extraction
- Weak passwords exclude publicly registrable systems
- Duplicate vulnerabilities merged (first reporter prioritized)
Reward Protocols
- Payments in cryptocurrency to OKEx accounts within 1-2 business days post-fix
- Dispute resolution available for rating/process concerns
Prohibited Actions
❌ Public disclosure before remediation
❌ Vulnerability testing that disrupts services
❌ Exploitative use of discovered flaws
FAQ
Q: How are duplicate submissions handled?
A: First valid report receives full reward; subsequent similar reports may be merged.
Q: What constitutes proof for brute-force vulnerabilities?
A: Demonstrated successful login/access is required.
Q: Are outdated CMS vulnerabilities eligible?
A: Only the first-reported instance per vulnerability type.
Q: How are GitHub leaks evaluated?
A: Rated based on sensitive content and exploit potential.
Q: Can I submit vulnerabilities from mobile and web separately?
A: Identical interfaces across platforms are treated as one finding.
Q: What’s excluded from rewards?
A: SPF spoofing, email bombs, non-sensitive CSRF, and low-risk issues.
Note: All submissions are confidential. OKEx reserves legal rights against malicious exploitation.