Nest Exchange - Proof of Reserves for our Crypto exchange, you are secured 🔒

Overview

A secure trading environment is conducive for users' peace of mind. As our userbase grows, we are continuing our work to maximize the security of our Exchange. We have established a bug and security feedback reward mechanism on 15 Feb 2025 to incentivize security experts to examine our systems and provide suitable security advice and vulnerability analysis.

Details

Rewards are divided into four tiers, depending on their severity. Each tier has different rewards (in USDT).

Risk Level	Minimum Payable	Maximum Payable
Critical	500 USDT	1000 USDT
High	300 USDT	500 USDT
Medium	50 USDT	150 USDT
Low	5 USDT	25 USDT

If we accept your bug/vulnerability report, we will pay you the USDT as your rewards. Please note that the threat level will be determined by NestEx security staff, and that NestEx has the sole discretion on deciding whether report meets the reward criteria. Payments when made will be to your designated NestEx wallet account. You may then withdraw or utilize the funds as you see fit.

Low effort issues like typos or display issues will not be considered for the bounty. Even the lowest category of bounty would imply an 'exploitable bug' of some kind, and not simply a visual defect with no / very low user impact.

Scope of Acceptable Vulnerabilities

We welcome reports that uncover significant security risks, particularly those that could compromise user assets or system integrity. The types of vulnerabilities we are most interested in include:

Web & User Interface Security

Logical flaws in business operations that could result in unintended financial losses.
Exploits allowing manipulation of payment processes.
Remote Code Execution (RCE) vulnerabilities.
Exposure of sensitive information due to system weaknesses.
Critical OWASP vulnerabilities, including but not limited to XSS, CSRF, SQL Injection, SSRF, and IDOR.
Any other security risks that could lead to asset loss or compromise.
Unsafe external link handling that could be leveraged for attacks.
JavaScript vulnerabilities that could be exploited to harm user assets.
Leaks of internal IP addresses or domain names.

Out of Scope Security Issues

While we take security seriously, the following issues are not within the scope of this bug bounty program:

Low-Risk or Theoretical Vulnerabilities

Hypothetical loopholes without practical proof-of-concept exploitation.
Minor email security concerns, such as expired password reset links or weak password policies.
Records with incomplete sender information.
Clickjacking and UI redirections with minimal security impact.
Known vulnerabilities in third-party applications that we do not control.
Zero-day exploits discovered within the last 30 days.
Social engineering, phishing attempts, or other deception-based tactics.
Typos or low-impact display issues are not considered for the bug bounty.

Denial of Service (DoS) & Enumeration

DoS/DDoS attacks or any activity that disrupts normal operations.
Enumeration of user information via email or phone number verification.

Information Exposure & Minor Data Leaks

Non-sensitive data leaks, such as stack traces, path exposures, directory listings, and log disclosures.
Publicly known security issues, duplicate reports, or vulnerabilities that have already been addressed.
Physical security vulnerabilities requiring direct manipulation of a user’s device.

Platform-Specific & Legacy Issues

Exploits that require outdated browsers or platforms.
XSS vulnerabilities targeting only PC environments.
Issues with autofill functionality in web forms.
Lack of security-related cookie flags.
Deprecated SSL/TLS protocols or insecure cipher usage.

Low-Impact Security Flags

Missing security headers that cannot be directly exploited.
CSRF vulnerabilities with insignificant consequences (e.g., adding items to a cart or subscribing to a newsletter).
Cache-related behaviors that do not pose a security risk.

Mobile Application & API-Specific Issues

Vulnerabilities requiring root/jailbreak access.
Static analysis of binary files without a proof-of-concept.
Bypassing of security mechanisms such as certificate pinning.
Hardcoded API keys with no exploitable impact (e.g., Google Maps API).
Information leaks from app crash reports that do not expose sensitive data.
Clipboard-based leaks of shared links.
Scanned reports from automated tools without manual validation.

Additional Notes

Any assets that do not belong to NestEx are out of scope.
Issues discovered through outdated announcements or blog posts will not be considered.
If submitting a vulnerability related to expired or invalid links, you must demonstrate that the link is still actively used.

By refining our focus on critical vulnerabilities and filtering out low-impact reports, we aim to maximize the effectiveness of our bug bounty program while ensuring the security of our platform.

Restrictions

It is strictly forbidden to use penetration testing as an excuse to exploit vulnerabilities and threat intelligence to damage the interests of users, affect normal business operations, or steal user data.
Modification of the NestEx database or destruction of data through the use of identified bugs or vulnerabilities is strictly prohibited.
Automated testing using scanning tools is strictly prohibited.
Testing on accounts other than those you own is strictly prohibited.
NestEx reserves the right to the final interpretation of the event.

Use the e-mail address below to send information about the error to our security team. You MUST ask for permission before you start doing a pentest or any other such check or risk being blocked by our firewalls.

In order to benefit from the bug finding reward program, you must send and detail the information requested below.*

Name or Alias** (no KYC is required)
Product name with error*
- Trading interface
- Payment gateway
- Faucets
- AMM
Risk Level (out of 100?)*
Error Report Summary*
Steps Needed to Replicate*
Impact*
Screenshots (more than one if possible)

[email protected]