Update on 2022-07-28
Live since: 14.07.2021
Max Bounty : 20 000 USDT
Program overview
Built by a group of Wall Street quant trading veterans, AscendEX is a leading digital asset trading platform with a comprehensive suite of products to meet the needs of even the most sophisticated institutional trading counterparties. AscendEX's robust cash, margin, and derivative trading products rank amongst the most liquid and actively traded in the industry with average daily trade volume >$400mm from a diverse global user base of retail and institutional traders from over 200 countries.
For more information about AscendEX, please visit their website at https://ascendex.com/.
The bug bounty program covers its website and is focused on the prevention of:
Rewards by threat level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.
Website and Apps
Critical | USD 5 000 - USD 20 000 |
High | USD 1 000 - USD 3 000 |
Medium | USD 200 - USD 1 000 |
Low | USD 50 - USD 200 |
Bug reports must come with the following in order to be considered for a reward:
Proof of Concept (PoC) - All bug reports
Suggestions for a fix - Critical, High, and Medium reports only
Under this bug bounty program, anything involving KYC data theft or leakage is considered as Critical. Additionally, anything involving user or company asset loss is also considered as Critical.
The USD 20 000 reward for critical vulnerabilities is only applicable if KYC data is stolen in an unencrypted format. All other critical vulnerabilities are capped at USD 5 000.
The final reward amount is determined by the AscendEX team by the exploitability of the vulnerability as well as its potential economic impact.
Payouts are handled by the AscendEX team directly and are denominated in USD. All payouts are done in USDT.
Assets in Scope
Target | Type |
https://asdx.io | Website |
https://ascendex.com | Website |
https://asdxstatic.oss-cn-shanghai.aliyuncs.com/app/android/ascendex.apk | App - Android |
https://apps.apple.com/us/app/ascendex-bitmax/id1463917147 | App - iOS |
Only web/app vulnerabilities that directly affect the websites assets listed in this table are accepted within the bug bounty program. All others are out-of-scope.
The links to the apps are provided as a way to find the apps themselves. Vulnerabilities on the websites that host the apps are not in-scope of the bug bounty program.
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Websites and Apps
Prioritized vulnerabilities
We are especially interested in receiving and rewarding vulnerabilities of the following types as long as they have a resulting impact that is listed as in-scope:
Websites and Apps
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
Websites and Apps
The following activities are prohibited by bug bounty program:
How to Download the AscendEX App on an Android/iOS Phone
2021-08-03
How to Register an AscendEX Account 【PC】
2020-08-31
FAQ for Registering an AscendEX Account
2021-09-16
An Introduction to AscendEX
2021-08-20
How to Register an AscendEX Account【APP】
2020-08-31