|Scope Type||Scope Name|
Out of Scope
|Scope Type||Scope Name|
No technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
To show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball- park:
Low risk – $100 to $200
This may include Self XSS , Security policies , Best practices etc.
Medium risk - $200 to$400
Reflected or Stored Cross Site Scripting , Cross-Site Request Forgery , logical bugs with potential exploitation etc.
High risk - $400 and above
Authentication Bypass, SQL Injection, XXE , Remote Code Execution etc.
Bounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.
While researching, we'd like to ask you to refrain from:
It is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct BAN.
We have few sub-domains which are 3rd party integrations . So bugs on them
with very low impact might get rejected .
But we have also paid on behalf of our third party integrations for extremely good security issues and worked along with our third party owners to get it fixed.
• Presence/absence of SPF/DMARC records.
• Clickjacking on static pages.
• CSRF on forms that are available to anonymous users (e.g. the contact form)
• Login and logout CSRF issues
• Use of a known-vulnerable library (without evidence of exploitability)
• Vulnerabilities affecting users of outdated browsers and platforms
• Attacks requiring physical access to a user's device
• Reports from automated tools or scanners (please refrain from doing this, You will be banned for this)
• Presence of autocomplete attribute on web forms
• Missing cookie flags on non-sensitive cookies
• Disclosure of known public files or directories, (e.g. robots.txt)
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
• Social engineering of Binary employees or contractors
• Any physical attempts against Binary property or data centers
HOWEVER, listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE to avoid discouragement with negative hackerone points .
and other Binary.com-related code is open-sourced at
Thank you for helping keep Binary.com and our users safe!