[New Bug Bounty] Blofin Has Launched Bug Bounty With Up to $3,000 Reward Per Critical Vulnerability

Alex Horlan
Head of Triage, HackenProof
2 Minutes Read

Meet Blofin

Blofin is your next crypto trading solution that provides the easy-to-use, secure and reliable trading experience to accommodate all folks.

Check Out The Rewards

If you find a vulnerability according to the bounty rules, Blofin will reward you:

  • Critical: $1,000 – $3,000
  • High: $500 – $1,000
  • Medium: $200 – $500
  • Low: $50 – $200

Join The Bounty Hunt

There are 2 asset types to scope!

  • Web
  • App

Bug classification:


Can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way


  • SQL injection to system (backend loophole reports would be downrated, while submission in * pack uprated if appropriate)
  • Unauthorized access to sensitive data, including but not limited to bypassing authentication * to access the backend, weak backend password, and SSRF that obtains considerable * sensitive information from the intranet
  • Serious logical design flaws and process flaws. Including but not limited to any user login vulnerability, batch modification of any account password vulnerability, logic vulnerability involving the core business of the enterprise, etc., except for verification code blasting
  • Local arbitrary code execution. Including, but not limited to, locally exploitable code * execution and native code execution vulnerabilities caused by other logical issues
  • Other vulnerabilities affecting users on a large scale. Including but not limited to stored XSS that can be automatically propagated by important pages, stored XSS that can obtain administrator authentication information and successfully exploited, etc.


  • Vulnerabilities that require interaction to affect users. Including but not limited to stored XSS * of general pages, CSRF involving core business, etc.
  • Ordinary unauthorized operation. Including but not limited to bypassing restrictions, modifying user information, performing user operations, etc.
  • Vulnerabilities that can be caused by the successful blasting of sensitive system operations * such as arbitrary account login and arbitrary password retrieval due to verification code logic
  • The locally stored sensitive authentication key information is leaked, and it needs to be * effectively used.
  • Subdomain takeover


  • Local Denial of Service Vulnerability. Including but not limited to client-side local denial of service (parsing file formats, crashes caused by network protocols), exposure of Android component permissions, problems caused by common application permissions, etc.
  • General information leakage. Including but not limited to Web path traversal, system path traversal, directory browsing, etc.
  • Reflected XSS (including DOM XSS / Flash XSS)
  • Normal CSRF
  • URL redirection vulnerability

Once you’re ready, click here to join the bounty hunt!

Read more on HackenProof Blog