Bittrex US is the most trusted cryptocurrency exchange known for its next-level security. We’re looking to enhance our security by tapping into the ethical hackers' community.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
*.bittrex.com |
Web | Critical | Bounty |
auth.bittrex.com |
Web | Critical | Bounty |
global.bittrex.com |
Web | Critical | Bounty |
static.bittrex.com |
Web | Critical | Bounty |
web.bittrex.com |
Web | Critical | Bounty |
https://bittrex.github.io/api/v3 |
API | Critical | Bounty |
https://play.google.com/store/apps/details?id=com.bittrex.trade |
Android | Critical | Bounty |
https://apps.apple.com/app/id1465314783 |
iOS | Critical | Bounty |
stage.bittrex.com |
Web | Critical | Bounty |
Out of scope
| Target | Type | Severity |
|---|---|---|
Support.bittrex.com (Zendesk) |
Web | None |
Testing Conditions
All vulnerabilities that can influence price action or cause any production environment damage need to be raised to the Bittrex Team first and a consent should be obtained before proceeding with PoC. Please reach out to [email protected] for these requests.
In-Scope Vulnerabilities
We are interested in the following vulnerabilities:
- Business logic issues
- Payments manipulation
- Remote code execution (RCE)
- Injection attacks
- File inclusions (Local & Remote)
- Access Control Issues (IDOR, Privilege Escalation, etc)
- Leakage of sensitive information
- Domain takeover
- Server-Side Request Forgery (SSRF)
- OAuth & app secret hard-coded/recoverable in IPA, APK
- 0day for 3rd party applications (in the first 30 days)
- Other vulnerability with a clear potential loss
Out-of-Scope Vulnerabilities
OUT OF SCOPE - WEB
- Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:
- Vulnerabilities in third-party applications
- Unexploitable theoretical or best practices concerns
- 0days for Azure
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering, spam, phishing, physical, or other fraud activities
- Most brute-forcing issues without clear impact
- DoS/DDoS issues
- Non-sensitive Information Disclosure
- Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
- Self-XSS that cannot be used to exploit other users
- Missing cookie flags on non-sensitive cookies
- CSRF on unauthenticated endpoints
- OPTIONS/TRACE HTTP method enabled
- Host header issues without proof-of-concept demonstrating the vulnerability
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Any attacks requiring physical access to a user's device
OUT OF SCOPE - MOBILE
- Attacks requiring physical access to a user's device
- Vulnerabilities requiring extensive user interaction
- Exposure of non-sensitive data on the device
- Reports from static analysis of the binary without PoC that impacts business logic
- Lack of obfuscation/binary protection/root(jailbreak) detection
- Bypass certificate pinning on rooted devices
- Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
- Sensitive data in URLs/request bodies when protected by TLS
- Path disclosure in the binary
- Sensitive information retained as plaintext in the device’s memory
- Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
- Any kind of sensitive data stored in-app private directory
- Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
- Shared links leaked through the system clipboard
- Any URIs leaked because a malicious app has permission to view URIs opened.
- Exposure of API keys with no security impact (Google Maps API keys etc.)
- Only reports of new, unknown vulnerabilities are eligible for a reward. A vulnerability is known (i.e. a duplicate) if it’s already been reported externally or discovered internally.
- Vulnerabilities already publicly disclosed will not be eligible for a reward.
- After reporting, details of a vulnerability may only be made public with expressed authorization from Bittrex.
- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
- Make every effort not to damage or restrict the availability of products, services or infrastructure
- Avoid compromising any personal data, interruption or degradation of any service
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
Please note, that the following persons and legal entities are expressly prohibited from participation in this bug bounty program and are not eligible for any reward:;
- individuals / entities which are subject to any sanctions lists (including SDN List by OFAC and its Consolidated List, List of persons / organizations wanted by Interpol, List of person / organizations, which are subject to the “most wanted” by FBI of the USA and such other lists);
- individuals / entities which are or were engaged in work / contractorship / other relationship with and/or received payments from the entities / companies, which are subject to any sanctions lists;
- individuals / entities which are subject to comprehensive sanctions against certain jurisdictions (including Cuba, Iran, North Korea, Syria and the Crimea region of Ukraine);
- individuals / entities residing in a sanctioned region.