A critical vulnerability refers to the vulnerability occurs in the core business system (the core control system, field control, business distribution system, fortress machine and other control systems that can manage a large number of systems). It can cause a severe impact, gain business system control access (depending on the actual situation), gain core system management staff access, and even control the core system.
It is including but not limited to:
- Multiple devices access in the internal network.
- Gain core backend super administrator access, leak enterprise core data and cause a severe impact.
- Smart contract overflow and conditional competition vulnerability.
- Gain system access (getshell, command execution, etc.)
- System SQL injection (backend vulnerability degradation, prioritization of package submission as appropriate)
- Gain unauthorized access to the sensitive information, including but not limited to, the direct access to the management background by bypassing authentication, brute force attackable backend passwords, and to obtain SSRF of sensitive information in the internal network, etc.)
- Arbitrarily document reading
- XXE vulnerability that can access any information
- Unauthorized operation that involves money, payment logic bypassing (need to be successfully utilized)
- Serious logical design defects and process defects. This includes but is not limited to any user log-in vulnerability, the vulnerability of batch account password modification, logic vulnerability involving enterprise core business, etc., except for verification code explosion
- Other vulnerabilities that affect users on a large scale. This includes but is not limited to the storage XSS that can be automatically propagated on the important pages, and the storage XSS that can access administrator authentication information and can be successfully utilized
- Leakage of a lot of source code
- The permission control defects in the smart contract
- The vulnerability that can affect users by the interaction part. It includes but is not limited to the storage XSS on general pages, CSRF involving core business, etc
- General unauthorized operation. It includes but is not limited to modify user data and perform user operation by bypassing restrictions
- Denial-of-service vulnerabilities. It includes but is not limited to the remote denial-of-service vulnerabilities caused by denial-of-service of web applications
- The vulnerabilities caused by a successful explosion with the system sensitive operation, such as any account login and password access, etc. due to verification code logic defects
- The leakage of locally-stored sensitive authentication key information, which needs to be able to use effectively
- Local denial-of-service vulnerabilities. It includes but is not limited to the client local denial-of-service (parsing file formats, crashes generated by network protocols), problems that are caused by Android component permission exposure, general application access, etc.
- General information leakage. This includes but is not limited to Web path traversal, system path traversal, directory browsing, etc
- Reflective type XSS (including DOM XSS/Flash XSS)
- General CSRF
- URL skip vulnerability
- SMS bombs, mail bombs (each system only accepts one type of this vulnerability).
- Other vulnerabilities that are less harmful and cannot be proven to be harmful (such as CORS vulnerability that cannot access sensitive information)
- No return value and no in-depth utilization of successful SSRF
Vulnerabilities that are not accepted at the moment (even if such a vulnerability is submitted, it will be ignored)
- Email spoofing
- User enumeration vulnerability.
- Self-XSS & HTML injection
- Web pages lack CSP and SRI security policies
- CSRF issues for non-sensitive operations.
- A separate issue about Android app android:allowBackup=”true” , and the service is denied locally, etc. (unless in-depth use).
- Some problems such as changing the size of the image and causing slow requests, etc.
- Version leak issues such as Nginx, etc.
- Some functional bugs that do not pose a security risk issue.
- Physical attack on Bybit / Social engineering attack on Bybit employees
- It is forbidden to conduct social engineering and phishing to people;
- It is forbidden to leak the details of the vulnerability;
- Vulnerability testings are only limited to PoC(proof of concept), and destructive testings are strictly prohibited. If harms are caused inadvertently during the testing, it should be reported in time. Meanwhile, sensitive operations performed in the test, such as deletion, modification, and other operations, are required to be explained in the report;
- It is forbidden to use a scanner for large-scale scanning. If the business system or network becomes unavailable, it will be handled according to relevant laws;
- Those who test the vulnerability should try to avoid modifying the page directly, continuing poping up the message box (dnslog is recommended for xss verification), stealing cookies, and obtaining aggressive payload such as the user information (for blind xss testing, please use dnslog). If you accidentally used a more aggressive payload, please delete it in time. Otherwise, we have the right to pursue related legal liabilities.