Bug Bounty Program
Security is a foundational priority at 6MM.
As a professional-grade trading infrastructure, 6MM is committed to maintaining the highest standards of system security, fund protection, and trading stability.
We actively encourage responsible security research and welcome collaboration with independent researchers, partners, and technical experts to help identify and mitigate potential vulnerabilities across the 6MM ecosystem.
Program Objectives
The 6MM Bug Bounty Program aims to:
Identify and resolve security vulnerabilities at an early stage
Protect partner platforms and connected ecosystems
Preserve system integrity and uninterrupted trading operations
Promote a clear, professional, and responsible disclosure process
Scope of Testing
The Bug Bounty Program may include, but is not limited to, the following areas:
Trading engine and order-matching logic
Margin, risk control, and liquidation mechanisms
API and SDK interfaces and permission controls
Web and mobile access layers
Authentication, authorization, and session management
Infrastructure configuration and deployment security
The scope may be adjusted as the platform evolves.
Responsible Disclosure Policy
Security researchers participating in this program are expected to:
Submit vulnerability reports privately via the designated contact channel
Avoid public disclosure until the issue has been resolved
Provide clear reproduction steps and impact analysis
Act in good faith and refrain from exploiting or misusing data
6MM commits to timely review, assessment, and response for all valid submissions.
Severity Levels and Rewards
Rewards are determined based on a comprehensive evaluation of:
Severity level (Critical / High / Medium / Low)
Potential impact on system security, funds, or trading stability
Quality, clarity, and reproducibility of the report
Critical or high-impact vulnerabilities may qualify for higher rewards.
Reward structures, payment methods, and eligibility may change in accordance with partner policies.
Out-of-Scope Issues
The following are generally excluded from the Bug Bounty Program:
Social engineering attacks
Denial-of-Service (DoS / DDoS) attacks
Vulnerabilities in third-party services or dependencies
Issues requiring physical access to devices or infrastructure
Vulnerability Submission & Contact
Please submit all security vulnerability reports through the official channel below:
📧 Security Contact Email
Recommended submission details:
Clear vulnerability description
Affected components and potential impact
Step-by-step reproduction instructions or proof of concept (PoC), if applicable
Supporting materials such as screenshots, logs, or test environment details
Please do not disclose vulnerabilities through customer support, business, or public channels.
Response Process
Upon receiving a valid report, 6MM follows this process:
Initial validation by the security team
Impact assessment and severity classification
Development and deployment of remediation measures
Feedback provided to the reporter
Reward issuance or formal acknowledgment when applicable
Closing Statement
6MM believes that responsible disclosure and collaboration with the security community are essential to building resilient, long-term trading infrastructure.
We appreciate your contribution to keeping 6MM and its partner ecosystem secure, stable, and trustworthy.
Last updated