Bounty Program

We are rewarding bounty hunters and white hat hackers for bringing potential threats and vulnerabilities to our attention!

bitorb bounty program

We are rewarding bounty hunters and white hat hackers for bringing potential threats and vulnerabilities to our attention! The rewards are depended on the severity of bugs found, which you can find out more below.

Important! When reporting a bug, you must provide an attack scenario and/or examples of the attack. Without this, we reserve the right to reject the bug as unverifiable. BitOrb will determine, at its discretion, whether a vulnerability is eligible for a reward and the amount of the award
SeverityBugCrowd EquivalentDefinitionReward (USD)
CriticalP1Vulnerabilities that could cause severe system impairment, compromise of user data and cryptocurrency assets$500
HighP2Unauthorized operations, SQL injections and malicious code injections and source code leakages$250
MediumP3, P4Vulnerabilities that affect some users but doesn’t impair system functionality$100
LowP5Non critical vulnerabilities$50
  • Program Rules
  • Rewards
  • Scope
  • Out of Scope Vulnerabilities

Rules

  1. Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  2. Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  3. When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  4. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  5. Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  6. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

UP TO $4000 TO BE AWARDED FOR YOU!

  1. Our rewards are based on severity. Please note these are general guidelines, and that reward decisions are up to the discretion of BitOrb.

  2. The minimum payout is $100 USD for reporting a low severity with possibility for direct exploitation. The maximum reward is $4000, and we may award higher amounts based on the severity or creativity of the vulnerability found. Please reference the Bounty Table at the top of our page.

  3. Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.

We are interested in:

Sensitive actions

include depositing, trading, or sending money; OAuth or API Key actions

Privileged information

includes: passwords, API keys, wallet addresses, private keys

Scope

  1. The scope of this program is limited to security vulnerabilities found on the BitOrb website. All services provided by BitOrb are eligible to our bug bounty program, including the API, and the Exchange.

  2. Vulnerabilities reported on other properties or applications are currently not eligible for reward. High impact vulnerabilities outside of this scope might be considered on a case-by-case basis.

OUT OF SCOPE VULNERABILITIES

  1. UI and UX bugs and spelling or localization mistakes.
  2. Vulnerabilities in third-party applications
  3. Descriptive error messages (e.g. Stack Traces, application or server errors)
  4. Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
  5. Publicly accessible login panels without proof of exploitation.
  6. Reports that state that software is out of date/vulnerable without a proof of concept.
  7. Host header issues without proof-of-concept demonstrating the vulnerability.
  8. HTTP codes/pages or other HTTP non- codes/pages.
  9. Fingerprinting/banner disclosure on common/public services.
  10. Disclosure of known public files or directories, (e.g. robots.txt).
  11. Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
  12. Any CSRF
  13. Application Error Disclosure
  14. User enumeration
  15. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  16. Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
  17. OPTIONS HTTP method enabled
  18. Lack of Security Speed bump when leaving the site.
  19. Weak Captcha
  20. Content injection issues.
  21. HTTPS Mixed Content Scripts
  22. Content Spoofing without embedded links/html
  23. Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  24. Reflected File Download (RFD).
  25. Best practices concerns.
  26. Highly speculative reports about theoretical damage. Be concrete.
  27. Missing HTTP security headers, specifically, For e.g.
  28. Strict-Transport-Security
  29. X-Frame-Options
  30. X-XSS-Protection
  31. Host Header
  32. X-Content-Type-Options
  33. Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  34. Content-Security-Policy-Report-Only
  35. Infrastructure vulnerabilities, including:
  36. Certificates/TLS/SSL related issues
  37. DNS issues (i.e. mx records, SPF records, etc.)
  38. Server configuration issues (i.e., open ports, TLS, etc.)
  39. Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
  40. Vulnerabilities involving active content such as web browser add-ons
  41. XSS issues that affect only outdated browsers (like Internet Explorer)
  42. Issues that require physical access to a victim’s computer.
  43. Physical or social engineering attempts (this includes phishing attacks against employees).
  44. Recently disclosed 0day vulnerabilities.
  45. Microsites with little to no user data
  46. Most brute forcing issues
  47. Denial of service
  48. Spamming

HOW TO REPORT A BUG

Step 1) Visit https://support.bitorb.com/

Step 2) Click on “Create Case”

Step 3) Send us an e-mail with the subject line: Bounty Program

RESPONSIBLE DISCLOSURE

Responsible disclosure includes:

  • Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Ensuring that efforts will be done in good faith to not leak or destroy any BitOrb’s user data.
  • Not defrauding BitOrb’s users or BitOrb itself in the process of discovering these vulnerabilities.
  • To promote responsible disclosure, the BitOrb team promises not to bring legal action against researchers who point out a problem provided that the researchers do their best to follow the guidelines stated above.

SLA

BitOrb, will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit) – 3 business days
  • Time for bug classification (from report submit) – 5 business days
  • Time to bounty (from bug classification) – 10 business days

 

We’ll keep you informed about our progress throughout the process via our customer service portal.

Other Promotions that you might like

WIN USD 33,000+ WORTH OF PRIZES​

BitOrb Testnet Trading Competition is coming soon in November 2019 where prizes are worth more than USD 33,000 in USD and BTC. 

Sign up our newsletter to stay updated on the latest details.

  • This field is for validation purposes and should be left unchanged.

Add Your Heading Text Here

WIN USD 33,000+ WORTH OF PRIZES

BitOrb Testnet Trading Competition is coming soon in November 2019 where prizes are worth more than USD 33,000 in USD and BTC. 

Sign up our newsletter to stay updated on the latest details.

  • This field is for validation purposes and should be left unchanged.