Bug bounty Program

We take our security serious, if you can help us with finding vulnerables in our code, we will reward you.

Security Policy

Wanting the best for our community, our team decided that it would be fitting to launch a bug bounty program. While utilize leading tech to make our platform as safe for trader use as possible, there is no perfect solution in terms of technology and security. But, this does not mean that we should not strive to come as close to perfect as possible. Here is your chance to help us on our mission towards becoming better by means of a Bug Bounty Reward Program.

Bugs and Rewards

All rewards will for discovered bugs will be paid out in our platforms token, NEXT, which can then be traded on NEXT.exchange or IDEX. The amount of rewards you can obtain depends on the severity of the bug/vulnerability/issue found and which requires to be addressed on our part. We may give out higher amounts of NEXT based on just how crazy a bug/vulnerability/issue is deemed to be.

Vulnerability Reward (in NEXT)
Remote Code Execution 5000
Significant manipulation of account balance 2500
XSS/CSRF/Clickjacking affecting sensitive actions [1] 2000
Theft of privileged information [2] 1500
Partial authentication bypass 1000
Other XSS (excluding Self-XSS) 500
Other CSRF (excluding logout CSRF) 250
Other best practice or defence in depth 50
How to participate?

Once you’ve discovered something peculiar, send it over to [email protected] with the Subject NEXT BUG BOUNTY in all capital letters! Thanks for your support towards NEXT.exchange!

Disclosure Policy

Program Rules


While researching, we'd like to ask you to refrain from engaging in or reporting:

If you submit a report about a missing/incomplete header, please be absolutely sure you are correct that there is a legitimate problem. We receive a large number of bogus reports triggered by automated testing suites that do not consider the real-world use of the applications they are testing.
If you believe that one of the above is affecting a major browser in a negative way, come prepared with a working proof of concept. Reports without a proof of concept will be denied.

In Scope

Note: Severity shown here only indicates the maximum severity possible for reports submitted to the Asset. All other domains are out of scope.

Domain next.exchange
Data leakage, authentication errors, account takeover, etc., are in scope. Phishing is generally out of scope unless there is a reasonable mistake in our platform.
Critical Eligible for bounty