FMFW.io Bug Bounty Program [Temporarily suspended]

At FMFW.io we believe in the power of crowd wisdom. As we are looking to continuously improve our platform to make it more secure and easy to use for our traders, we’ve launched a bug-bounty program. If you find any bugs on our platform or have feedback on how we can further improve our service, please kindly reach out.

The bounties we offer range from 25 USDT to 5000 USDT for confirmed vulnerability reports. We will rate each submission and pay out the bounty in accordance with our vulnerability rating. As you can imagine, some bugs are more significant than others. All payouts are defined in our guidelines and subject to change. We process all payouts in USDT to ensure you receive the promised amount of your well-deserved bounty no matter the market conditions.

  • You’ll be immediately disqualified when asking for payment in exchange for vulnerability details. Please make sure that any report submitted includes a clear and detailed description of the vulnerability. Please also include detailed instructions on how to reproduce your findings.
  • Unfortunately, when we cannot reproduce your findings, your report will not be eligible for payout. Therefore, please make sure that you describe how you found the bug and how we can reproduce it in as much detail as possible.
  • At any given moment our team can request additional proof or a video showcase of the vulnerability.
  • All our reward payments are made in Tether (USDT ERC20) or USDC (ERC20) directly to your FMFW.io account. You should create an exchange account before submitting the report to be eligible for the reward.
  • Please submit any bug reports to [email protected].
  • We will check your report within 4-6 weeks after it’s submission.
  • Our minimum payout for a bug report is 25 USDT.

FMFW.io Bug Bounty Program Statistics

(Please note that this data is updated every month)

  • 15 reports were reviewed and rewarded in the last quarter
  • 5 days is the average vulnerability review period in the last quarter
  • $110 is the average payout in the last quarter

Wall of Fame

(Please note that this data is updated every month)

Name Reward
Mehedi Hasan $650
ranabapary07 $225
Turanalayat $200
Abdelkader Mouaz $175
0x0asif $150
Rutvik Hajare $150
Mr. Anonymous (This researcher kindly asked us to remain anonymous) $100
Foysal Ahmed $100
Farzad Gholipor $75
Tanvir Imon $50

In-Scope Properties

The following properties are in scope for the bug bounty program of FMFW.io. All rewards will be issued in USDT.

  • https://fmfw.io/
  • https://api.fmfw.io/
  • wss://api.fmfw.io/

Out of Scope Properties

Please note that the following properties are out of scope for bug bounty rewards:

  • support.fmfw.io
  • FMFW.io Landing Page
  • Any other FMFW.io properties that aren’t included in the in-scope properties above.

Additionally, all other 3rd party hosted assets that are not explicitly mentioned in our “In Scope Properties” don’t fall under our Bug Bounty program either. Check In Scope Properties for an overview of included properties.

Out of Scope Vulnerabilities

  • Low version browsers, platforms, etc
  • Lack of Secure and HttpOnly cookie flags
  • OPTIONS/TRACE HTTP method enabled
  • Clickjacking/Tapjacking
  • Physical attacks against FMFW.io and Social engineering attacks against FMFW.io employees
  • Cross-Site Request Forgery attacks
  • Descriptive error messages
  • Content Spoofing without embedded links/HTML
  • Theoretical risk vulnerabilities
  • Self-XSS
  • Vulnerabilities in 3rd party applications
  • Weak Captcha/Captcha Bypass
  • Some bugs that don't bring security risks
  • Spam (SMS, email, etc), phishing, social engineering
  • NGINX and/or other middleware leaks
  • Publicly login panels
  • Interface brute force blasting of registered user name vulnerabilities
  • Mixed HTTP Content
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Issues related to best practices
  • Man-in-the-middle and local attacks
  • Missing HTTP security headers
  • Cross-Site Request Forgery in forms that are available to anonymous and unregistered users
  • Email enumeration via Login/Forgot Password and other pages error messages
  • Login & Logout Cross-Site Request Forgery
  • HTML injection
  • Certificate/TLS/SSL related vulnerabilities
  • Manipulation with Password Reset/Withdrawal confirmation/2FA activation or any other tokens
  • Any Distributed-Denial-of-Service/Denial-of-Service issues
  • Content Security Policy
  • Any HTTPS content scripts

FMFW.io Bug Bounty Program Rules and Policy

  1. FMFW.io (FMFW Ltd.) agrees to refrain from initiating legal action against any security research performed that complies with the program rules of the Exchange Bug Bounty program. This includes good faith and violations that are non-deliberate. All activities that fall under “authorized” conduct as specified under the DMCA, the CFAA, the Computer Misuse Act, and other hacking laws such as Cal. Penal Code 503(c) we won’t bring legal claims against the individual or institution who circumvented security measures to contribute to the bug bounty program and the continuous improvement of our platform.
  2. All our reward payments are made in Tether (USDT ERC20) or USDC (ERC20) directly to your FMFW.io account. You should create an exchange account before submitting the report to be eligible for the reward. If an account hasn't been created in advacne ,hence you won't be eligible for any rewards
  3. Don’t access or modify other FMFW.io users' data. Keep all your tests limited to your accounts. If you fail to comply, it will entail a lawsuit against you.
  4. If we receive several reports on the same vulnerability, only the first received report will be eligible for a reward.
  5. Please refrain from exploiting the vulnerability neither by making it public nor by enriching yourself. Failure to comply will result in legal action against you.
  6. Don’t break any laws and limit yourself to the defined scope. Failure to comply will result in legal action.
  7. Please refrain from publicly disclosing any vulnerabilities without our consent. We will only approve Public Disclosure requests once the vulnerability has been resolved.
  8. Please limit yourself to submitting one vulnerability at a time. If you deem it necessary to chain vulnerabilities to illustrate the impact, you can submit more than one.
  9. Please ensure not to hinder the availability or level of service of our exchange when conducting your testing.
  10. Please ensure that you’re not compromising personal data, and do not interrupt or degrade our service. Failure to comply will result in legal action.
  11. Refrain from spam bots to spam our sign-up form or automated scanners to interrupt our account creation flow.
  12. Please don’t use any applications that scan automatically for vulnerabilities by generating massive traffic.
  13. Don’t launch any Distributed-Denial-of-Service/Denial-of-Service attacks, social engineering attacks, or any form of spam; otherwise, it will entail a lawsuit against you.
  14. Please don’t share details on any vulnerabilities you discovered with anyone outside the FMFW.io team without explicit permission given by us.
  15. The FMFW.io reserves the right to cancel or amend these terms or conditions without prior notification. All the terms and conditions applicable to usage of FMFW.io also apply to this Bug Bounty Program.
  16. By submitting a report, you agree to be bound and comply with the rules outlined here.
  17. By submitting a report, you acknowledge and agree to the rules outlined in the program. You also agree that any decision taken by FMFW.io is final and binding.

Last update

2023-03-08