Bug Bounty Program

  • About Latoken

    LATOKEN is a rapidly growing crypto exchange focusing on liquidity for new tokens. LATOKEN entered CoinMarketCap’s Top-20 in March 2019 and keeps improving the result.

    • $300m+ daily turnover
    • More than 700.000 registered users
    • 720+ crypto pairs available for trading
    • Low trading and withdrawal fees
    • New trading pairs are being added every week

    Besides crypto trading, eligible LATOKEN users can participate in selected Tokens Sales at pre-sale and crowdsale stages. Security Token Offerings (STO) are also available on LATOKEN crypto exchange.

    • Trading Terminal
    • Advanced trading features
    • Crypto/fiat gateway

  • Bug Bounty Program

    At LATOKEN our clients are our top 1 priority, which of course includes their security as well. To improve their user experience and their security we’ve started our Bug Bounty program in 2020.
    We are offering a bounty for a newly reported error/vulnerability in any of the in-scope area’s as mentioned below.
    We will rate reported security issues based on the security impact to our users and on the LATOKEN system as a whole.

    report form

  • Reward Levels

    Level 1Critical2000 LAErrors which critically affect our users’ ability to trade and/or our users’ security
    Level 2High700 LAErrors which give our users a high risk, either by using our services or are shown to release personal information about them
    Level 3Medium150 LAMedium level, showing how to stop our exchange from working, or to stop our users from accessing their assets
    Level 4Low50 LAVulnerabilities that could affect the stability or availability of our services

  • Targets in Scope

    Latoken Websitelatoken.com
    iOS AppInstall Latoken iOS app
    Android AppInstall Latoken Android app

  • In scope vulnerabilities (For web, mobile and blockchain).

    • Business logic errors
    • Manipulation of payments
    • SQL injection possibilities
    • Access Control errors
    • Remote code execution (RCE)
    • XML External Entity Attacks (XXE)
    • Server-Side Request Forgery (SSRF)
    • File inclusions (Local & Remote)
    • Leakage of sensitive and/or personal user information
    • Other vulnerability with a clear potential loss

  • Out of scope vulnerabilities

    For web

    • Any statement/report without an obvious proof
    • Denial of service attacks
    • Vulnerabilities in 3rd-party applications
    • Recently (less than 30 days) disclosed 0day vulnerabilities
    • Vulnerabilities affecting users of outdated browsers or platforms
    • Social engineering, phishing, physical, or other fraudulent activities
    • Publicly accessible login panels without proof of exploitation
    • Vulnerabilities involving active content such as web browser add-ons
    • Most brute-forcing issues without clear impact
    • Moderately Sensitive Information Disclosure
    • Missing HTTP security headers
    • Open redirects
    • Session fixation
    • User account enumeration
    • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
    • Descriptive error messages (e.g. Stack Traces, application or server errors)
    • Self-XSS that cannot be used to exploit other users
    • CSRF with low-security impact including Login & Logout CSRF
    • Weak Captcha/Captcha Bypass
    • Username/email enumeration via Login/Forgot Password Page error messages
    • CSRF in forms that are available to anonymous users (e.g. the contact form)
    • OPTIONS/TRACE HTTP method enabled
    • Host header issues without proof-of-concept demonstrating the vulnerability
    • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
    • Content Spoofing without embedded links/HTML
    • Reflected File Download (RFD)
    • Mixed HTTP Content / HTTPS Mixed Content Scripts

    For our Mobile App(s)

    • Attacks requiring physical access to a user's device
    • Vulnerabilities requiring extensive user interaction
    • Exposure of non-sensitive data on the device
    • Reports from static analysis of the binary without PoC that impacts business logic
    • Lack of obfuscation/binary protection/root(jailbreak) detection
    • Bypass certificate pinning on rooted devices
    • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
    • Sensitive data in URLs/request bodies when protected by TLS
    • Path disclosure in the binary
    • OAuth & app secret hard-coded/recoverable in IPA, APK
    • Sensitive information retained as plaintext in the device’s memory
    • Any kind of sensitive data stored in-app private directory
    • Runtime hacking exploits using tools like but not limited to Frida/ Appmon
    • Any URIs leaked because a malicious app has permission to view URIs opened
    • Exposure of API keys with no security impact (Google Maps API keys etc.)
  • Rules of the Bug Bounty program

    • LATOKEN reserves the rights to the final explanation of the bounty program and retains the discretion to cancel or modify the rewards or bounty rules.
    • Reviewing reports will take approximately 1-2 weeks.
    • The rewards will be paid out in LA. For reports with exceptional vulnerabilities, LATOKEN will provide additional rewards to the researchers.
    • LATOKEN will issue LA rewards to your LATOKEN account in two weeks after a vulnerability report is approved and verified. You may check the rewards in the Wallet.
    • Only the first verified vulnerability report will receive the reward. Similar reports will not be rewarded.
    • In case you find multiple vulnerabilities which are connected to one another, we’ll only award you for the vulnerability with the highest level.
      • Not to restrict the availability of LATOKEN’s exchange, its services or infrastructure.
      • Not to use web application scanners which generate huge amount of traffic for automatic searching.
      • Not to access or modify any users data. Please, use your own account for these tests.
      • Not to exploit any Denial of Service vulnerabilities.
      • Not to break any law and stay in the defined scope.
    • Any details of found vulnerabilities must not be communicated to anyone who is not a part of the LATOKEN team without an appropriate permission.
    • For researchers stealing the private data or asset information of LATOKEN users, or posing a threat to personal or asset security of our users, LATOKEN will pursue relevant legal responsibilities to the violators.