GMGN Vulnerability Bounty Program

Program Overview

Safety and security are our top priorities at GMGN. To eliminate system vulnerabilities and further improve GMGN services, GMGN has launched a vulnerability bounty program for all security researchers.

We will evaluate all reported security issues based on their impact on users and assets, and rewards will be paid in USDT once your submission is accepted.

Please be advised that only reports with a detailed description of the vulnerability and a complete, working proof of concept are eligible for rewards.

If you would like to report a security vulnerability, claim your bounty rewards, or have any questions about this program, please feel free to contact us at security@gmgn.ai.

Scope

• Websites and application ( *.gmgn.ai )

• GMGN Android App

• GMGN iOS App

Rewards

Once your submission is accepted, please provide one of the following to receive your reward:

1. Your GMGN account, or

2. Your USDT wallet address

Level of Severity and Reward Range

Extreme: Up to 1,000,000 USDT

• Vulnerabilities that threaten core or essential assets, potentially leading to major business disruptions or unauthorized access to GMGN wallets, funds, or private keys.

Critical: 3,000 - 10,000 USDT

• Vulnerabilities that undermine user assets’ security

• Vulnerabilities that bypass the applications or procedures under normal trading logic

• Vulnerabilities that could remotely access essential information and authentication information of users

• Vulnerabilities related to key generation, encryption, decryption, signing, and verification

High: 1,000 - 3,000 USDT

• Vulnerabilities that lead to high-risk information leakage

• Vulnerabilities with a similar impact as critical vulnerabilities but are dependent on specific prerequisites

Medium: 300 -1,000 USDT

• Vulnerabilities that lead to the leakage of part of the users’ info through interaction or financial fraud

• Vulnerabilities that cause GMGN to be unable to respond to users’ requests from the web or mobile Apps.

Low: 50 - 300 USDT

• Vulnerabilities due to product design defects that do not affect the security of users’ assets.

• Vulnerabilities that lead to Denial of Service of core GMGN services

Reports NOT Qualified for the Rewards

The following issues are not qualified for any reward:

• Theoretical vulnerabilities without an actual proof of concept

• Email verification defects, expiration of password reset links, and password complexity policies

• Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)

• Clickjacking/UI redressing with minimal security impact

• Email or mobile enumeration (e.g., the ability to identify emails through password resetting)

• Information leakage with minimal security impact (e.g., stack traces, path disclosure, directory listings, logs)

• Internally known issues, recurring issues, or issues already published

• Tabnabbing

• Self-XSS

• Vulnerabilities only applicable to outdated versions of browsers or platforms

• Vulnerabilities related to auto-fill web forms

• Use of vulnerable libraries already known without an actual proof of concept

• Lack of security flags in cookies

• Issues related to unsafe SSL/TLS cipher suites or protocol versions

• Content spoofing

• Issues related to cache control

• Vulnerabilities exposing internal IP addresses or domains

• Lack of security headers that do not lead to direct exploitation

• CSRF with negligible security impact (e.g., adding to favorites, subscribing to non-vital features)

• Vulnerabilities that require root/jailbreak

• Vulnerabilities that require physical access to the user’s device

• Issues with no security impact (e.g., failure to load a web page)

Terms & Conditions

• GMGN reserves the right to make the final interpretation of the bounty program and retains the discretion to terminate or change the rewards or bounty rules.

• In case of multiple reports regarding the same issue, GMGN will reward the earliest submission, regardless of how the issue was reported.

• The review of reports generally takes approximately 1–2 weeks. GMGN shall decide the result of any review at its own discretion.

• Rewards will be issued within 2 weeks after a vulnerability report is approved and verified. We will notify you by email once the reward is issued.

• Security researchers conducting or facilitating malicious attacks on GMGN will not be qualified for any reward.