Bug Bounties

EXNESS

Powered by: 

Allows bounty splitting: 

Average time to first program response: 3

Average time to bounty awarded null: 81

Average time to report resolved: 1137

Handle exness

Managed program: false

Name: EXNESS

Offers bounties: true

Offers swag: true

Response efficiency percentage: 100

Submission state: open

Url: https://hackerone.com/exness

Website: https://www.exness.com

In scope:

  • Asset identifier: 1359763701
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: medium
  • Confidentiality requirement: medium
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: https://apps.apple.com/id/app/exness-trader-trade-on-the-go/id1359763701 For all Submissions, please include: Full description of the vulnerability being reported, including the exploitability and impact Evidence and explanation of all steps required to reproduce the submission, which may include: - Videos/screenshots - Exploit code - Web/API requests and responses Out of scope mobile vulnerabilities: - Deeplink hijacking - Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device - Exposure of non-sensitive data on the device - Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: 1392465628
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: low
  • Confidentiality requirement: low
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Social trading: com.exness.st.socialtrading https://apps.apple.com/id/app/exness-social-trading/id1392465628 For all Submissions, please include: Full description of the vulnerability being reported, including the exploitability and impact Evidence and explanation of all steps required to reproduce the submission, which may include: - Videos/screenshots - Exploit code - Web/API requests and responses Out of scope mobile vulnerabilities: - Deeplink hijacking - Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device - Exposure of non-sensitive data on the device - Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
  • Integrity requirements: low
  • Max severity: medium



  • Asset identifier: 1579331769
  • Asset type: APPLE_STORE_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: MoneyManagement https://apps.apple.com/id/app/exness-investor/id1579331769 com.exness.moneymanagement For all Submissions, please include: Full description of the vulnerability being reported, including the exploitability and impact Evidence and explanation of all steps required to reproduce the submission, which may include: - Videos/screenshots - Exploit code - Web/API requests and responses Out of scope mobile vulnerabilities: - Deeplink hijacking - Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device - Exposure of non-sensitive data on the device - Vulnerabilities on third-party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Any subdomain application issue
  • Asset type: OTHER
  • Availability requirement: low
  • Confidentiality requirement: medium
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: Exness subdomains of exness.(tld)
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: Any subdomain infrastructure issue
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: low
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: low
  • Max severity: critical



  • Asset identifier: External service data leakage
  • Asset type: OTHER
  • Availability requirement: medium
  • Confidentiality requirement: high
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: Feel free to search secrets on github/pastebin and other services, but keep in mind, that such issues could be posted earlier and are ineligible for a bounty for now
  • Integrity requirements: none
  • Max severity: critical



  • Asset identifier: Logical trading issues
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: low
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Logical issues & fraud cases
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Partnership
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: exnessaffiliates.com
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Personal Area for Web Trading
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: my.exness.com my.exness.asia api.exness.com excalls.mobi pay.ibex.exchange ... https://exness.com/member - is ineligible for a reward. Also, your report might be a duplicate.
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: Portfolio Management
  • Asset type: OTHER
  • Availability requirement: low
  • Confidentiality requirement: medium
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: my.exness.com/pim/*
  • Integrity requirements: low
  • Max severity: high



  • Asset identifier: Public Area for Web Trading
  • Asset type: OTHER
  • Availability requirement: low
  • Confidentiality requirement: low
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Public pages of domains listed below that are accessible from any browser from any country without a user session: - exness.com - api.exness.com - excalls.mobi - pwapi.ex2b.com
  • Integrity requirements: low
  • Max severity: medium



  • Asset identifier: Social Trading
  • Asset type: OTHER
  • Availability requirement: low
  • Confidentiality requirement: low
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: https://my.exness.com/pa/socialtrading my.exness.com/st/*
  • Integrity requirements: low
  • Max severity: medium



  • Asset identifier: Web Terminal
  • Asset type: OTHER
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: https://my.exness.com/webtrading/
  • Integrity requirements: high
  • Max severity: critical



  • Asset identifier: com.exness.android.pa
  • Asset type: OTHER_APK
  • Availability requirement: none
  • Confidentiality requirement: medium
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: For all Submissions, please include: Full description of the vulnerability being reported, including the exploitability and impact Evidence and explanation of all steps required to reproduce the submission, which may include: - Videos/screenshots - Exploit code - Web/API requests and responses Out of scope mobile vulnerabilities: - Deeplink hijacking - Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device - Exposure of non-sensitive data on the device - Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
  • Integrity requirements: medium
  • Max severity: critical



  • Asset identifier: com.exness.investments
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: low
  • Confidentiality requirement: low
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: For all Submissions, please include: Full description of the vulnerability being reported, including the exploitability and impact Evidence and explanation of all steps required to reproduce the submission, which may include: - Videos/screenshots - Exploit code - Web/API requests and responses Out of scope mobile vulnerabilities: - Deeplink hijacking - Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device - Exposure of non-sensitive data on the device - Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
  • Integrity requirements: low
  • Max severity: medium



  • Asset identifier: com.exness.investor
  • Asset type: GOOGLE_PLAY_APP_ID
  • Availability requirement: high
  • Confidentiality requirement: high
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: For all Submissions, please include: Full description of the vulnerability being reported, including the exploitability and impact Evidence and explanation of all steps required to reproduce the submission, which may include: - Videos/screenshots - Exploit code - Web/API requests and responses Out of scope mobile vulnerabilities: - Deeplink hijacking - Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device - Exposure of non-sensitive data on the device - Vulnerabilities on third-party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
  • Integrity requirements: high
  • Max severity: critical