Bug Bounty Program

To continuously enhance platform security, EasiCoin officially launches its Bug Bounty Program. We welcome security researchers and members of the technical community worldwide to participate in identifying and reporting potential vulnerabilities, working together to build a more robust and secure digital asset trading environment.

How to Participate

If you discover any potential vulnerabilities related to EasiCoin systems, please submit a detailed report to:

Security Report Email: [email protected]

Our security team will promptly review and evaluate your submission and get in touch with you for further verification and follow-up.

Scope

This program applies to:

• All subdomains and systems under the domain *.easicoin.io

Reward Policy

Rewards are issued based on the severity, exploitability, technical complexity, and potential impact of the reported issue. The reward amount and method of issuance are subject to internal assessment and discretion.

Web Vulnerability Categories

Critical Severity

• Unauthorized access to core control systems

• Compromise of major internal infrastructure

• Full access to backend super admin systems

• Smart contract overflows or logic bypass with fund impact

• Examples: full server takeover, critical data modification or leakage

High Severity

• Remote command execution / Getshell

• SQL injection, SSRF, XXE

• Arbitrary file read or write

• Unauthorized access to fund-related operations

• Smart contract privilege design flaws

Medium Severity

• Stored XSS or CSRF in core business processes

• Denial-of-service (DoS) vulnerabilities

• CAPTCHA bypass, sensitive data exposure

Low Severity

• Client-side crash

• DOM-based or reflective XSS

• Open redirect, non-critical CSRF or path traversal

Non-qualifying Submissions (not eligible for reward)

• Email spoofing, user enumeration, self-XSS

• Missing CSP/SRI headers, non-impactful clickjacking

• Software version disclosures

• Social engineering or attacks targeting EasiCoin staff

Smart Contract Vulnerability Criteria

Critical Severity

• Manipulation of governance or voting results

• Theft or permanent lock-up of user funds

• Insolvency exploits, MEV attack vectors

High Severity

• Exploits to steal or freeze unclaimed rewards

• Logic bugs causing fund inaccessibility or protocol halt

Medium Severity

• Transaction failures due to missing tokens or DoS

• Abnormal gas consumption

Low Severity

• Yield promise inconsistencies (without actual loss)

• Governance risks, centralization flags, information asymmetries

Code of Conduct

To ensure responsible disclosure, participants must follow these ethical and legal guidelines:

• No social engineering, phishing, or unauthorized access to employee data

• Do not publicly disclose or share details of discovered vulnerabilities

• Do not deploy malicious payloads (e.g., cookie theft scripts)

• Do not perform destructive testing or exploit production systems

• Do not use automated scanners to probe without consent

• Only minimal proof-of-concept (PoC) demonstrations are allowed

If unintended issues arise during testing, please report them immediately. Violations of these rules may result in disqualification and legal action.

Acknowledgment

Each valid submission is a contribution to the strengthening of the EasiCoin ecosystem. We deeply appreciate your efforts and collaboration. Together, we strive to make EasiCoin—and the broader Web3 space—safer and more resilient.