BANKEX Custody Service is a world-class decentralized cryptocurrency depository for enterprises and individuals.

Our advanced features include multi-layer security, ease of access, flexible asset storage, and 24-hour customer service.

Every member of the BANKEX team knows that Custody Service security is unbreakable. But what about hackers?

If you find a bug or serious vulnerability in our Custody service, we are prepared to offer a reward of up to $15000. The payments are made in BTC, ETH or BKX after our approval of a bug.

sso.bankex.com and custody.bankex.com are included in scope programs.

How to Report a Bug or Security Vulnerability

All you have to do is create a text report on Google Docs or make a video report and upload it on YouTube (all reports must be private and available only by link).

Then send a link to [email protected].

How We Will Assess Your Reports

We will assess all reports with regard to bug severity, system criticality, and report quality. There will be 4 categories of bugs/vulnerabilities: critical, high, medium, low.

Critical severity ($10000 or $15000 if you accept payment in BKX)

Remote Code Execution

Ability to arbitrarily manipulate account balances

Withdrawing currencies from other accounts

High severity ($5000 or $7500 if you accept payment in BKX)

User Authentication bypasses

Privilege escalation allowing unauthorized access to sensitive data or funds

Medium severity($500 or $750 if you accept payment in BKX)

CSRF impacting non-critical settings

User de-anonymization

Low severity ($50 or $75 if you accept payment in BKX)

Leakage of lower sensitivity information such as name or email address

Potential phishing vector that Custody has the ability to mitigate

If a report is a duplicate, we won’t award a bounty. A report is a duplicate if we have another bug bounty report for the issue or if other security review processes have already identified the issue.

We do not accept/review reports with:

Vulnerability scanners and another automated tools reports

Disclosure of non sensitive information, such as product version

Disclosure of public user information, such as nick name / screen name

Reports based on product/protocol version without demonstration of real vulnerability presence

Reports of missed protection mechanism / best current practice (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system

Attack which require full access to local account or browser profile

Denial of Service vulnerabilities

How long?

The program will run for 6 months: from October 15, 2018 to April 15, 2019.

If you have any questions, please contact us at [email protected].