YUBIT Bug Bounty Program

We are excited to announce the launch of the YUBIT Bug Bounty Program and warmly encourage security researchers and community members to participate by reporting vulnerabilities.

📩 Please submit bug reports to: [email protected] Our security team will review and validate submissions promptly and will contact you after confirmation. Your contributions to security are highly valued!

1. Web Bug Bounty

Scope of Testing:

Reward Range:

  • Low Risk: $50 – $100

  • Medium Risk: $100 – $500

  • High Risk: $500 – $1,000

  • Critical: $1,000 – $5,000

2. Web Vulnerability Severity Definitions

(1) Critical Vulnerabilities

Affect core business systems (control systems, domain controllers, distribution systems, bastion hosts, etc.) and may cause severe damage. Possible outcomes:

  • Unauthorized control of business systems

  • Access to core system admin rights

  • Full control over core infrastructure Examples:

  • Control of multiple devices in the internal network

  • Access to backend super admin privileges, leading to major data leaks

  • Smart contract overflow or race condition exploits

(2) High-Risk Vulnerabilities

  • Privilege escalation (GetShell, command execution)

  • SQL injection

  • Authentication bypass, weak passwords, SSRF, sensitive data exposure

  • Arbitrary file read / XXE

  • Unauthorized transactions or payment logic bypass

  • Severe logic flaws (e.g., login as any user, bulk password resets)

  • Stored XSS (wide impact)

  • Large-scale source code leak

  • Smart contract privilege misconfigurations

(3) Medium-Risk Vulnerabilities

  • User-interaction required issues (e.g., stored XSS, CSRF)

  • Horizontal/parallel authorization bypass

  • Denial of Service (DoS)

  • CAPTCHA flaws leading to brute force attacks

  • Local sensitive key leakage

(4) Low-Risk Vulnerabilities

  • Local DoS (client crash)

  • Minor information disclosure (path traversal, directory listing)

  • Reflected/DOM XSS

  • Basic CSRF

  • URL redirection issues

  • SMS/email spamming (limited per system)

  • Other low-impact or unproven issues

3. Vulnerabilities Not Accepted

  • Email spoofing

  • User enumeration

  • Self-XSS / HTML injection

  • Missing CSP / SRI

  • Non-sensitive CSRF

  • Android configuration issues (e.g., android:allowBackup="true")

  • Performance-only issues (e.g., slow image rendering)

  • Third-party component version disclosure (e.g., Nginx version)

  • Non-security functional bugs

  • Social engineering against YUBIT employees

4. Smart Contract Vulnerability Definitions

(1) Critical

  • Manipulation of governance voting

  • Direct theft of user funds (excluding unclaimed rewards)

  • Permanent freezing of funds

  • Miner Extractable Value (MEV) exploitation

  • Insolvency of the protocol

(2) High Risk

  • Theft or freezing of unclaimed rewards/royalties

  • Temporary freezing of funds

(3) Medium Risk

  • Contract halts due to token exhaustion

  • Exploiting network congestion for profit

  • Gas theft or forced excessive gas usage

  • Disruptive, non-profitable sabotage

(4) Low Risk

  • No direct fund loss but damages trust/commitments

  • Informational risks (oracle errors, governance attacks, liquidity risks, Sybil attacks, etc.)

  • Best-practice recommendations

5. Prohibited Activities

  • Social engineering or phishing attacks

  • Public disclosure or distribution of vulnerability details

  • Destructive testing (only Proof of Concept is allowed)

  • Unauthorized large-scale scanning

  • Webpage modification, popup flooding, cookie theft, or intrusive payloads

  • Any unreported damage during testing

⚠️ Failure to follow rules may result in legal consequences.

6. Closing Note

Thank you for contributing to the security of the YUBIT platform. Together, we can build a safer and more transparent crypto ecosystem.

PreviousHow to Close My AccountNextAbout Us

Last updated