Banner object (1)

Hack and Take the Cash !

805 bounties in database
  Back Link to program      
Railto LLC logo
Hall of Fame

Railto LLC

Railto recognizes the role the research community plays and encourages responsible disclosure in order to keep our businesses and customers safe. This is a vulnerability disclosure program and does not currently monetarily reward bounties. We look forward to partnering with you.

You can sign up for a free account at __

Focus Areas:

  • Cryptocurrency balances
  • 2FA bypasses
  • Customer information

In addition to the above focus areas, we are most interested in:

  • SQL Injection
  • Cross-site Scripting (XSS)
  • Server-side Request Forgery (SSRF)
  • Remote Code Execution (RCE)
  • Cross-site Request Forgery (CSRF)


Railto, LLC will make a best effort to meet the following SLAs for researchers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 2 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

  • By submitting a report, you agree to not publicly disclose or share the vulnerability with any third party until receiving confirmation from Railto that the vulnerability has been remediated.
  • Once a vulnerability has been resolved, we will publicly disclose it unless otherwise requested by the disclosing researcher.
  • Follow HackerOne's disclosure guidelines __.

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be triaged.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Vulnerabilities requiring outdated browsers and platforms.
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Missing cookie flags on non-sensitive cookies.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

In Scope

Scope Type Scope Name


This program have been found on Hackerone on 2019-10-01.

FireBounty © 2015-2020

Legal notices