Bug Bounty & Security Program

Bug Bounty & Security Program

BEXC runs a paid Bug Bounty program so security researchers can responsibly disclose vulnerabilities they find. Reward tiers are set to be on par with industry leaders. Alongside the bounty program, BEXC maintains a public Hall of Fame for contributors and a transparent Insurance Fund page.

How it works

  1. Read the policy/security/policy covers the scope of what can be tested, the severity matrix, reward tiers, and the report template to use.
  2. Report responsibly — Researchers submit findings following the responsible-disclosure process described in the policy (no public disclosure before it's resolved, no exploiting the bug beyond proof-of-concept).
  3. Review + reward — The first valid, reproducible report of an issue is evaluated and rewarded according to its severity.
  4. Recognition — Contributors may be listed on the public Hall of Fame.
Reward amounts scale with severity — Critical findings receive the highest rewards, down to Info-level findings which are recognized via the Hall of Fame rather than a cash reward. Exact amounts and eligibility conditions (such as being the first valid report, following responsible disclosure, and passing standard compliance checks) are published on the policy page.

Where to find things

PageWhat it covers
/security/policyScope, severity levels, reward tiers, report template
/security/hall-of-fameRecognized researchers who reported valid issues
/security/insurance-fundTransparency on BEXC's user-protection insurance fund

Common questions

Does BEXC have a bug bounty program? Yes — see /security/policy for full details. Rewards are paid and tiers are set to match industry-leading exchanges.

How do I report a security vulnerability? Follow the responsible-disclosure process and report template published on /security/policy.

How much can I earn? It depends on severity — Critical issues earn the most, while Info-level findings are recognized in the Hall of Fame instead of a cash reward. Current ranges are on the policy page.

What is the Insurance Fund? A transparent fund maintained to support user trust and protection, detailed on /security/insurance-fund.

What is the Hall of Fame? A public list recognizing researchers who have responsibly reported valid vulnerabilities.

Only the first valid, reproducible report of a given issue is rewarded — duplicate reports of an already-known issue are not eligible.