Bug Bounty & Security Program
BEXC runs a paid Bug Bounty program so security researchers can responsibly disclose vulnerabilities they find. Reward tiers are set to be on par with industry leaders. Alongside the bounty program, BEXC maintains a public Hall of Fame for contributors and a transparent Insurance Fund page.
How it works
- Read the policy —
/security/policycovers the scope of what can be tested, the severity matrix, reward tiers, and the report template to use. - Report responsibly — Researchers submit findings following the responsible-disclosure process described in the policy (no public disclosure before it's resolved, no exploiting the bug beyond proof-of-concept).
- Review + reward — The first valid, reproducible report of an issue is evaluated and rewarded according to its severity.
- Recognition — Contributors may be listed on the public Hall of Fame.
Reward amounts scale with severity — Critical findings receive the highest rewards, down to Info-level findings which are recognized via the Hall of Fame rather than a cash reward. Exact amounts and eligibility conditions (such as being the first valid report, following responsible disclosure, and passing standard compliance checks) are published on the policy page.
Where to find things
| Page | What it covers |
|---|---|
/security/policy | Scope, severity levels, reward tiers, report template |
/security/hall-of-fame | Recognized researchers who reported valid issues |
/security/insurance-fund | Transparency on BEXC's user-protection insurance fund |
Common questions
Does BEXC have a bug bounty program? Yes — see /security/policy for full details. Rewards are paid and tiers are set to match industry-leading exchanges.
How do I report a security vulnerability? Follow the responsible-disclosure process and report template published on /security/policy.
How much can I earn? It depends on severity — Critical issues earn the most, while Info-level findings are recognized in the Hall of Fame instead of a cash reward. Current ranges are on the policy page.
What is the Insurance Fund? A transparent fund maintained to support user trust and protection, detailed on /security/insurance-fund.
What is the Hall of Fame? A public list recognizing researchers who have responsibly reported valid vulnerabilities.
Only the first valid, reproducible report of a given issue is rewarded — duplicate reports of an already-known issue are not eligible.