The EXMON Bug Bounty Program rewards security researchers for responsibly disclosing vulnerabilities that could impact the safety of user assets or the stability of the platform.
All payouts are made in USDT.

Reward Tiers

Rewards are paid in USDT and divided into five tiers based on severity:

• Extreme — 10,000 USDT
• Critical — 3,000 – 5,000 USDT
• High — 1,000 – 2,000 USDT
• Medium — 200 – 400 USDT
• Low — 50 – 100 USDT

Final classification and payout depend on reproducibility, impact, and report quality.

In-Scope (What We’re Interested In)

We focus on vulnerabilities that directly affect user funds, business logic, or system integrity.

1. Web Platform (Frontend / Backend / API)

• Business-logic flaws leading to potential loss of funds (e.g. double withdrawals, payment manipulation, bypass of confirmations).
• Access to or control of EXMON’s wallets, private keys, or sensitive crypto infrastructure.
• Remote Code Execution (RCE) or command injection on EXMON servers.
• Exploitable OWASP-class issues: SQL injection, SSRF, IDORs that allow unauthorized fund access, privilege escalation, etc.
• Sensitive data exposure (tokens, API keys, admin credentials).
• Weaknesses in crypto-payment flow — address rotation bypass, escrow or fund distribution manipulation, or confirmation logic flaws.
• 
  

2. System Components and Services

• Errors in the logic of marketplace or escrow payments.
• Bugs in voucher, referral, or internal balance modules leading to unauthorized credits or balance inflation.
• Any condition allowing fund movement without proper authorization.

If uncertain whether your finding qualifies — send a summary first for confirmation.

Out-of-Scope (Not Rewarded)

• Theoretical or non-reproducible vulnerabilities without working PoC.
• Social engineering, phishing, or scams targeting users or staff.
• DoS/DDoS or stress testing that affects availability.
• Vulnerabilities in third-party libraries or services not controlled by EXMON.
• Brute-force or automated credential attacks.
• Low-risk leaks (stack traces, non-sensitive paths, directory listings).
• Outdated browser or system issues not reproducible in current environments.
• Known, duplicate, or publicly disclosed issues.
• Testing other users’ accounts or data without consent.
• Physical attacks or hardware-based exploits.
• Missing headers or cookie flags with no direct impact.
• CSRF or UI issues with negligible security impact.
• Automated scanner reports without validation or evidence.

Reports on expired or inactive endpoints are accepted only if the same code path is still live and exploitable.

Strictly Prohibited Actions

The following actions are strictly forbidden and will result in permanent disqualification from the Bug Bounty Program and possible legal action:

1. Exploiting vulnerabilities to steal, transfer, or freeze user or platform funds.
2. Accessing or modifying data of other users, the marketplace, or the exchange systems.
3. Running destructive tests that alter or delete database records, wallets, or logs.
4. Publishing or sharing confidential information before coordinated disclosure is agreed.
5. Using found vulnerabilities to gain leverage, make threats, or demand payment.
6. Performing any attack that disrupts normal business operations (including DoS, spam, or resource exhaustion).
7. Conducting unauthorized penetration testing under the pretext of “research”.
8. Using automated scanners or brute-force tools that could degrade platform performance.
9. Testing or tampering with accounts not owned by you, or bypassing authentication of other users.
10. Attempting to access EXMON’s internal admin systems, employee emails, or infrastructure not explicitly exposed for testing.

Violation of these rules immediately voids eligibility for rewards and may trigger investigation under applicable computer security laws.

Report Evaluation Examples

P0 / Extreme — 10,000 USDT

• Full compromise of EXMON wallet infrastructure, private keys, or ability to withdraw platform funds.

P1 / Critical — 3,000 – 5,000 USDT

• Vulnerabilities allowing takeover of administrative controls or unauthorized access to user funds.

P2 / High — 1,000 – 2,000 USDT

• High-risk SQL injection, large-scale IDOR, or leaks that expose sensitive data enabling fund theft.

P3 / Medium — 200 – 400 USDT

• Issues that impact a limited set of users or allow data modification without fund access.

P4 / Low — 50 – 100 USDT

• Minor, non-sensitive leaks or small logic flaws with negligible impact.

Responsible Disclosure Rules

• Do not exploit any bug beyond what is necessary to demonstrate its existence.
• Do not modify, delete, or damage any data.
• Test responsibly — low-impact only.
• Use your own accounts or request dedicated test accounts via [email protected].
• Coordinate with EXMON before public disclosure of any critical issue.
• For critical vulnerabilities, immediately contact us with the subject line “Critical vulnerability — immediate contact”.

How to Submit

Email your full report to   [email protected] with the subject “Bug Bounty Report”.
Your report must include:

1. Short summary of the issue.
2. Affected module (web/API/payment/etc.).
3. Detailed, reproducible steps.
4. Proof-of-concept (requests, PoC code, screenshots, logs).
5. Estimated impact and scope.
6. Contact information for clarification.

Payouts and Validation

• All verified vulnerabilities are rewarded in USDT after validation by EXMON security.
• Rewards may be adjusted or declined if the issue is non-reproducible, low-impact, duplicate, or incomplete.
• EXMON reserves the final right to interpret severity and payouts.
• By submitting a report, you agree to follow responsible disclosure practices and avoid exploitation or data access beyond testing scope.

Final Terms

• Security research that strengthens EXMON is always appreciated.
• We encourage ethical, coordinated testing that helps protect users and the platform.
• exmon.pro reserves the right to the final interpretation of this program.