EXNESS Bug Bounty Program Statistics | BugBountyHunter.com

You are viewing our old website

We are busy working on a brand new website and platform. All of the content on this website is considered out-dated, however challenges and our members section are working as before. Stay tuned for updates!

EXNESS Program Statistics

14 total issues disclosed

$2,500 total paid publicly

Most disclosed (4 disclosures) — Insecure Direct Object Reference (IDOR)

Disclosed Reports

Report Title	Vulnerability Type	Disclosed By	Severity	Disclosed on
Unrestricted Access to Celery Flower Instance	None supplied	ashwarya	High	2023-12-14
Blind SSRF on https://my.exnessaffiliates.com/ allows for internal network enumeration	Server-Side Request Forgery (SSRF)	null_hypothesis	Medium	2023-10-25
SSRF in graphQL query (pwapi.ex2b.com)	Server-Side Request Forgery (SSRF)	kirtixs	Medium	2023-07-24
Double forward slash breaks server-side restrictions & allows access to prohibited services from a partner account	None supplied	ashwarya	Low	2023-02-10
Verification process done using different documents without corresponding to user information / User information can be changed after verification	Business Logic Errors	wnovmi	Medium	2023-01-27
IDOR in Stats API Endpoint Allows Viewing Equity or Net Profit of Any MT Account	Insecure Direct Object Reference (IDOR)	ashwarya	Medium	2022-12-05
subdomain takeover at odoo-staging.exness.io	Privilege Escalation	omer	Low	2022-07-18
[com.exness.android.pa Android] Universal XSS in webview. Lead to steal user cookies	Improper Access Control - Generic	nearsecurity	Low	2022-05-24
Improper Implementation of SDK Allows Universal XSS in Webview Leading to Account Takeover	Improper Access Control - Generic	holyfield	Low	2022-04-13
CRLF Injection - Http Response Splitting	CRLF Injection	socialcodia	Low	2022-04-13
Acess control vulnerability (read/write)	Insecure Direct Object Reference (IDOR)	ashwarya	Medium	2022-04-13
Access control vulnerability (read/write)	Insecure Direct Object Reference (IDOR)	ashwarya	Medium	2022-04-13
Access control vulnerability (read-only)	Insecure Direct Object Reference (IDOR)	ashwarya	Medium	2022-04-13
Taking position in a discontinued forex pair without executing any trades	None supplied	ashwarya	Medium	2022-04-13