search

Bug Bounty Program

We are pleased to announce the launch of the NewCoin Bug Bounty Program and sincerely invite security researchers and white-hat hackers worldwide to participate in vulnerability discovery and security co-construction.

If you discover a security vulnerability during testing, please submit the complete vulnerability details to the official email: [email protected]

The NewCoin Security Team will review and verify each report upon receipt. Upon confirmation of a valid vulnerability, we will contact you and issue the corresponding reward.

Your security contributions are crucial to NewCoin.

hashtag
I. Web Bug Bounty Program

1. Scope of Testing

  • NewCoin official website

  • Official web trading and account systems

2. Vulnerability Reward Standards

  • Low Risk: 50 – 100 USDT

  • Medium Risk: 100 – 500 USDT

  • High Risk: 500 – 1,000 USDT

  • Critical: 1,000 – 5,000 USDT

The final reward amount will be comprehensively evaluated based on the vulnerability's impact scope, exploitation difficulty, and actual harm.

hashtag
II. Web Vulnerability Severity Definitions

(1) Critical Vulnerability Affects NewCoin's core business systems or critical infrastructure, potentially causing significant asset or systemic risks. Possible outcomes include:

  • Unauthorized control of core business systems

  • Obtaining highest administrative privileges of core systems

  • Complete takeover of key business modules

Examples:

  • Controlling multiple critical devices within the internal network

  • Gaining backend super administrator privileges leading to core data leakage

  • Fatal vulnerabilities in smart contracts (e.g., overflow, race conditions)

(2) High-Risk Vulnerability Can directly impact system security, user assets, or business logic integrity. Includes but is not limited to:

  • System privilege acquisition (GetShell, command execution)

  • SQL Injection

  • Authentication bypass, weak passwords, SSRF

  • Arbitrary file reading, XXE for arbitrary information access

  • Unauthorized transactions, payments, or fund operations

  • Severe business logic flaws (e.g., arbitrary user login, batch password modification)

  • Stored XSS with widespread impact

  • Large-scale source code leakage

  • Smart contract permission control flaws

(3) Medium-Risk Vulnerability Requires specific conditions or user interaction, potentially causing certain security impact. Includes but is not limited to:

  • Vulnerabilities requiring user interaction (e.g., stored XSS, CSRF)

  • Parallel authorization flaws (bypassing user data modification restrictions)

  • Denial of Service (DoS) attacks

  • CAPTCHA logic flaws enabling brute-force attacks

  • Leakage of sensitive authentication keys due to local or configuration issues

(4) Low-Risk Vulnerability Limited impact, or difficult to prove direct severe consequences. Includes but is not limited to:

  • Local DoS (client crash)

  • General information leakage (path traversal, directory browsing)

  • DOM / Reflected XSS

  • General CSRF

  • URL redirection vulnerabilities

  • SMS / Email bombing (similar issues counted once per system)

  • Other vulnerabilities without directly demonstrable security impact

hashtag
III. Vulnerability Types Not Accepted

The following issues are excluded from the Bug Bounty Program scope:

  • Email spoofing

  • User enumeration

  • Self-XSS / HTML injection

  • Lack of security policies (e.g., CSP, SRI)

  • CSRF in non-sensitive operations

  • Android app configuration issues (e.g., android:allowBackup="true")

  • Performance-only issues (e.g., slow requests due to image scaling)

  • Exposure of third-party component version information (e.g., Nginx version)

  • Functional flaws without security impact

  • Social engineering attacks targeting NewCoin employees

hashtag
IV. Smart Contract Vulnerability Severity Definitions

(1) Critical Vulnerability

  • Manipulation of governance or voting results

  • Direct theft of user funds (excluding unclaimed yields)

  • Permanent freezing of user funds

  • Miner Extractable Value (MEV)

  • Overall protocol insolvency

(2) High-Risk Vulnerability

  • Theft or freezing of unclaimed yields / royalties

  • Temporary freezing of user funds

(3) Medium-Risk Vulnerability

  • Contract dysfunction due to insufficient tokens

  • Profiting from block congestion

  • Destructive behavior without direct profit motive

  • Gas theft or infinite gas consumption

(4) Low-Risk Vulnerability

  • No direct financial loss but affecting contract commitments

  • Informational issues (oracle errors, governance attacks, liquidity risks, Sybil attacks, etc.)

  • Best practices and security hardening suggestions

hashtag
V. Prohibited Actions

To ensure platform and user safety, the following actions are strictly prohibited during testing:

  • Social engineering or phishing attacks

  • Public disclosure, dissemination, or sale of vulnerability details

  • Destructive testing (only PoC verification is allowed)

  • Large-scale scanning using unauthorized scanners

  • Modifying webpage content, pop-up bombing, cookie theft

  • Using highly intrusive or destructive payloads

If any unintended impact occurs during testing, please report it to NewCoin immediately.

Violations of the above rules may result in reward cancellation and potential legal liability.

hashtag
VI. Closing Remarks

Thank you for your contributions to the security of the NewCoin platform.

We look forward to collaborating with security researchers worldwide to build a safer, more transparent, and more trustworthy crypto asset ecosystem.

NewCoin Security Team

PreviousWhat to Do If You Don't Receive Official Emails?NextAbout Us

Last updated