Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
04/11/2015 logo
Hall of Fame


100 $

No technology is perfect, and believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Bounty Program

To show our appreciation of responsible security researchers, offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball- park:

Low risk – $100 to $200
This may include Self XSS , Security policies , Best practices etc.

Medium risk - $200 to$400
Reflected or Stored Cross Site Scripting , Cross-Site Request Forgery , logical bugs with potential exploitation etc.

High risk - $400 and above
Authentication Bypass, SQL Injection, XXE , Remote Code Execution etc.

Bounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.


While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of staff or contractors
  • Any physical attempts against property or data centers

It is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct BAN.



We have few sub-domains which are 3rd party integrations . So bugs on them with very low impact might get rejected .
But we have also paid on behalf of our third party integrations for extremely good security issues and worked along with our third party owners to get it fixed.


• Presence/absence of SPF/DMARC records.
• Clickjacking on static pages.
• CSRF on forms that are available to anonymous users (e.g. the contact form)
• Login and logout CSRF issues
• Use of a known-vulnerable library (without evidence of exploitability)
• Vulnerabilities affecting users of outdated browsers and platforms
• Attacks requiring physical access to a user's device
• Reports from automated tools or scanners (please refrain from doing this, You will be banned for this)
• Presence of autocomplete attribute on web forms
• Missing cookie flags on non-sensitive cookies
• Disclosure of known public files or directories, (e.g. robots.txt)
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
• Social engineering of Binary employees or contractors
• Any physical attempts against Binary property or data centers

HOWEVER, listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE to avoid discouragement with negative hackerone points .

Open-Source code

Please note that's front-end code is open-sourced at __, is open-sourced at __,

and other code is open-sourced at __

  • Please feel free to report any vulnerabilities found in these codes by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.

Thank you for helping keep and our users safe!

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.
  • DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.

In Scope

Scope Type Scope Name


Out of Scope

Scope Type Scope Name






This program have been found on Hackerone on 2015-11-04.

FireBounty © 2015-2019

Legal notices