Bug Bounty Program
Overview
GX Exchange operates a bug bounty program to incentivize responsible disclosure of security vulnerabilities. Researchers who discover and report valid vulnerabilities are rewarded based on the severity of the finding.
Reward Tiers
| Severity | Description | Reward Range |
|---|---|---|
| Critical | Fund loss, authentication bypass, consensus break | $25,000 - $100,000 |
| High | Temporary DoS, single-user fund risk, data exposure | $5,000 - $25,000 |
| Medium | Computational inefficiency, minor data leaks | $1,000 - $5,000 |
| Low | Code quality, non-exploitable edge cases | $250 - $1,000 |
| Informational | Documentation issues, best practice suggestions | Acknowledgment |
Scope
In Scope
| Component | Description |
|---|---|
| GX Core | Matching engine, orderbook, risk management, liquidation |
| Consensus | Block production, state persistence, P2P protocol |
| API Layer | REST API (port 4001), WebSocket (port 4000) |
| Authentication | EIP-712 signature verification, nonce validation |
| Smart Contracts | GX Token ERC-20, bridge contracts, staking contracts |
| DeFi Contracts | GX Lend, GX Swap, gxUSD, GX Yield (when deployed) |
Out of Scope
- Third-party services (Chainlink, Pyth, Privy, CoinGecko)
- Frontend UI bugs that do not have security implications
- Social engineering attacks
- Denial of service via network-level flooding
- Vulnerabilities in dependencies maintained by other projects
- Previously reported issues
Severity Definitions
Critical
Vulnerabilities that can lead to:
- Direct loss of user funds
- Bypass of authentication or authorization
- Consensus manipulation causing chain splits
- Unauthorized minting or burning of tokens
- Insurance fund drainage
High
Vulnerabilities that can lead to:
- Temporary denial of service affecting all users
- Single-user fund loss requiring specific conditions
- Exposure of sensitive user data
- Orderbook manipulation affecting price discovery
Medium
Vulnerabilities that can lead to:
- Computational inefficiency exploitable for resource waste
- Minor information disclosure
- Edge cases in margin calculation or fee computation
- Non-critical state inconsistencies
Low
Vulnerabilities that can lead to:
- Code quality issues with theoretical security implications
- Non-exploitable edge cases in error handling
- Minor deviations from specification
Submission Process
- Discover a vulnerability within the defined scope
- Document the finding with clear reproduction steps
- Submit via email to
security@gx.exchangewith the following:- Description of the vulnerability
- Step-by-step reproduction instructions
- Potential impact assessment
- Suggested fix (optional but appreciated)
- Wait for acknowledgment (within 48 hours)
- Coordinate disclosure timeline with the GX security team
Rules
- Do not exploit vulnerabilities beyond what is necessary for proof of concept
- Do not access, modify, or delete data belonging to other users
- Do not perform testing that degrades service for other users
- Provide sufficient detail for the team to reproduce the issue
- Allow reasonable time for remediation before public disclosure (90 days)
- One report per vulnerability — duplicate reports receive the first reporter’s reward
Payment
- Rewards are paid in USDC
- Payment is processed within 14 days of vulnerability confirmation
- Reward amount is determined by the GX security team based on severity, impact, and quality of report
- Disputes are resolved at the discretion of the GX Exchange team