Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
28/08/2018 logo
Hall of Fame


100 $ recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.
Note: This program is for the disclosure of software security vulnerabilities only.

UPDATE 03 December 2019: Exchange Beta now available for testing is excited to announce the launch of its cryptocurrency exchange. Exchange enables users to trade digital assets on the most liquid and secure platform in the market through its web interface, trading API, and App.
Blog post here: beta/ __

Signing up to be a Beta Tester:

  • Please sign up to be a Beta tester here: __
  • Upon sign up, access to the exchange platform will be provided
  • Please note that you are required to use the email address that you have used for testing on this program previously.
  • The Beta testing period will be from now through to the public release
  • Once the Beta testing period is over and the exchange is live to the public, any form of testing will require the user to sign up and do KYC as per any other user. This is so the pen tester can also test the resilience and look for any vulnerabilities in the signup process.

We've also updated this policy page with sections that are relevant to the Exchange.

  • Scope
  • Qualifying Vulnerabilities in the Exchange Beta
  • Non-Qualifying Vulnerabilities in the Crypto.c

UPDATE 19 September: New Chain assets added

We’re happy to announce some new releases of our products and have added new assets into our Scope. We've updated this policy page with sections that are relevant to the Chain:

  • Scope
  • Qualifying Vulnerabilities in the Chain
  • Non-Qualifying Vulnerabilities in the Chain

For more information about’s recent dev updates, please have a look at our blog post here __.


  • Please do not Publicly Disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.
  • Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
  • Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.
  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • In case of receiving duplicate reports of a specific vulnerability, only the first report is eligible for a reward.
  • By submitting a bug, you agree to be bound by the rules.


In Scope Assets: See Structured Scope

  • An issue identified in the applications listed in Structured Scopes only, qualifies for the program. Once the report has been triaged as valid, it’s considered for the bug bounty.
  • All services provided by are eligible for our bug bounty program, including the Wallet App [Crypto Wallet / Invest / Card / Earn / Credit].
  • Note: Severity shown in the structured scopes indicates the maximum severity possible for reports submitted to the asset.
  • Over time, additional apps or web application may come into scope, so please check back regularly.
  • For now, only the apps listed as in scope have opted-in to the Security Rewards Program and are eligible for rewards.
  • For Chain (Public TestNet), you can access the relevant resources here:

Qualifying Vulnerabilities in the Exchange Beta

  • Remote Code Execution

  • Significant manipulation of the account balance

  • Leakage of sensitive data

  • XSS/CSRF/Clickjacking affecting sensitive actions
  • Theft of privileged information
  • Partial authentication bypass

  • Other vulnerability with clear potential for financial or data loss

  • Other XSS (excluding Self-XSS)

  • Other CSRF (excluding logout CSRF)

Qualifying Vulnerabilities in the Chain

We are looking to find security issues affecting our blockchain protocol. As such, we would like to find vulnerabilities of the following types (other types could be in scope too, but this list provides a good starting point):

  • Bugs in our implementation of the cryptographic primitives
  • Remote Code Execution on any node and the reference wallet implementation
  • Vulnerabilities that disrupt the consensus result and performance
  • Unauthorized movement of funds, access to private keys
  • Vulnerabilities that affect the stability, connectivity, or availability of the whole network,
    individual node, or the reference wallet implementation

  • Transaction origin spoofing

  • Vulnerabilities that affect the stability or availability of Chain / Explorer

Out of Scope

The following domains below are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):

  • Any other service not directly hosted or controlled by will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.

Non-Qualifying Vulnerabilities in the Exchange Beta

In general, the following vulnerabilities will not meet the severity threshold:

  • Theoretical vulnerabilities without actual proof of concept
  • Email verification deficiencies, expiration of password reset links, and password complexity policies
  • Clickjacking/UI redressing with minimal security impact
  • Email enumeration (E.g. the ability to identify emails via password reset)
  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
  • Internally known issues, duplicate issues, or issues which have already been made public
  • Tab-nabbing * Self-XSS * Denial of service (DoS) * Spamming * Usability issues
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Vulnerabilities in third party applications which make use of the OpenAPI
  • Reports from automated tools or scans, without exploitability demonstration
  • Vulnerabilities related to autofill web forms
  • Use of known vulnerable libraries without actual proof of concept
  • Lack of security flags in cookies
  • Issues related to unsafe SSL/TLS cipher suites or protocol version
  • Content spoofing * Cache-control related issues * Exposure of internal IP address or domains
  • Missing security headers that do not lead to direct exploitation
  • CSRF with negligible security impact (E.g. adding to favorites, Logout, subscribing to a non-critical feature)
  • Vulnerabilities that require physical access to a user's device
  • Assets that do not belong to
  • Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)

Non-Qualifying Vulnerabilities in the Chain

  • Vulnerabilities in Intel SGX
  • Vulnerabilities in Tendermint
  • Vulnerabilities in a dependent 3rd party library
  • Vulnerabilities in the demo wallet example in HERE __
  • Missing features, missing best practices, known limitations, known bugs, e.g. >⅓ Byzantine faults

Non-Qualifying Vulnerabilities in the Mobile Apps

  • Software bugs that have no security impact.
  • Shared links leaked through the system clipboard.
  • Any URIs leaked because a malicious app has permission to view URIs opened
  • Absence of certificate pinning
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on external storage and private directory.
  • Lack of obfuscation is out of scope
  • auth "app secret" hard-coded/recoverable in APK.
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope) and due to malformed URL Schemes
  • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC) *Clickjacking/UI redressing with minimal security impact.
  • Distributed denial of service attacks (DDOS).
  • DNSSEC Misconfiguration
  • Lack of binary protection (anti-debugging) controls.
  • Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
  • Path disclosure in the binary
  • Snapshot/Pasteboard leakage
  • Runtime hacking exploits (exploits only possible in a jailbroken/rooted environment)
  • Already known issues, e.g. issues already reported by other researchers.
  • Issues that are not reproducible.
  • Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
  • Require physical connection to the device with developer-level debugging tool including but not limited to ADB.
  • Result in an application-level crash, or simply mention the possibility of MITM or SQL injection without an exploit.
  • Scenarios requiring excessive user interaction or tricking users like phishing.
  • Exploit is based on a complex scenario or the probability of exploit is very low.
  • Reports based on information that is already public.
  • Reports based on information taken or obtained through illegal access of Confidential information.

Previously Known Issues

  • is serious about security and we do our own internal scanning and testing through a QA process. We know we can't catch everything all the time which is why we rely on the safety net of the Hacking Community to bolster our processes. We value the participation of every hacker and will be as transparent with our known issues as possible.


  • reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.
  • MCO Metal Card awards are subject to standard KYC requirements and vetting in order to be eligible.
  • By submitting a bug, you agree to be bound by the above rules.

In Scope

Scope Type Scope Name

android_application __





web_application &mt;=8 __


Out of Scope

Scope Type Scope Name



web_application __

This program have been found on Hackerone on 2018-08-28.

FireBounty © 2015-2019

Legal notices