Bug Bounty Program
Lootex applies itself to the most trustworthy game asset marketplace and tries the best to assure the safety of trading. Devoting ourselves to building a better trading experience, we deliver a bug bounty program for those who help us improve in the technical field. Here is something we hope you to know before you submit a report.
Time of Processing
First response: 2-3 business days after contacting us.
Triage & confirmation: 5-7 business days, it might take longer depending on the bugs.
We are sending a reward in 30 business days.
Rules of Report
Please submit the report with detailed reproducible steps.
The same vulnerability is only rewarded once, to the first submitter.
Please don't share any information about the vulnerabilities to others until they are fixed, or the bounty won't be given away.
The vulnerability should be within the domain lootex.io.
Out-of-Scope Vulnerabilities
Clickjacking on pages with no sensitive actions
Broken external links
Rate limiting or brute force issues on non-authentication endpoints
Denial of service attacks (DDOS/DOS)
Missing HttpOnly or Secure flags on cookies
Vulnerabilities only affect users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)
Previously known vulnerable libraries without a working Proof of Concept.
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.
Attacks requiring MITM or physical access or control over a user's device.
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Open redirect - unless an additional security impact can be demonstrated
Clickjacking within an NFT displayed on lootex.io
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Vulnerabilities within domains from third-party service providers.
Reward
Last updated