🇺🇸English (click to change)
Comment on page

3-10. Bug Bounty Program

Lootex applies itself to the most trustworthy gamefi asset marketplace and tries the best to assure the safety of trading. Devoting ourselves to building the better trading experience, we deliver bug bounty program for those who help us improve in technical field. Here is something we hope you to know before you submit a report.

Time of Processing

  • First response: 2-3 business days after contacting us.
  • Triage & confirmation: 5-7 business days, might take longer depending on the bugs.
  • Sending reward: 10-20 business days.

Rules of Report

  • Please submit the report with detailed reproducible steps.
  • Same vulnerability is only rewarded once, to the first submitter.
  • Please don't share any information of the vulnerabilities to others until they are fixed, or the bounty won't be given away.
  • The vulnerability should be within the domain lootex.io.

Out of Scope Vulnerabilities

  • Clickjacking on pages with no sensitive actions
  • Broken external links
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Denial of service attacks (DDOS/DOS)
  • Missing HttpOnly or Secure flags on cookies
  • Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
  • Attacks requiring MITM or physical access or control over a user's device.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Open redirect - unless an additional security impact can be demonstrated
  • Clickjacking within an NFT displayed on lootex.io
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Vulnerabilities within domains from third-party service provider.


High - Critical