BTSE Bug Bounty Program: Program Info


The BTSE bug bounty program offers rewards to security researchers and enthusiasts who help us identify and resolve potential vulnerabilities within the BTSE system.

In Scope

Target Type Severity Reward

Web Critical Bounty

API Critical Bounty

Android Critical Bounty

iOS Critical Bounty

Out of scope

Target Type Severity
Web None
Web None

• Theoretical vulnerabilities without actual proof of concept

• Email verification deficiencies, expiration of password reset links, and password complexity policies

• Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)

• Clickjacking/UI redressing with minimal security impact

• Email or mobile enumeration (E.g. the ability to identify emails via password reset)

• Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)

• Internally known issues, duplicate issues, or issues which have already been made public

• Tab-nabbing

• Self-XSS

• Vulnerabilities only exploitable on out-of-date browsers or platforms

• Vulnerabilities related to auto-fill web forms

• Use of known vulnerable libraries without actual proof of concept

• Issues related to unsafe SSL/TLS cipher suites or protocol version

• Content spoofing

• Cache-control related issues

• Exposure of internal IP address or domains

• Missing security headers that do not lead to direct exploitation

• CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)

• Vulnerabilities that require physical access to a user's device

• Issues that have no security impact (E.g. Failure to load a web page)

• Any activity (like DoS/DDoS) that disrupts our services

• Reports from automated tools or scans

• Provide our Technical Support team reasonable turnaround time to resolve the issue before any public or third-party disclosure

• Do not compromise any personal data, avoid interruptions or degradation of any service; Never access or modify other users’ data; Localize all tests to your personal accounts only

• Ensure all efforts taken shall not damage or restrict the availability of BTSE’s products, services or infrastructure

• Any and all details of found vulnerabilities must only be communicated to the BTSE Team and its Management

• Testing may be done through and should not be done on at any given time

• Only vulnerability reports with detailed, reproducible steps, and PoC video will be eligible for a reward

• Avoid using web application scanners for automatic vulnerability searches which generates massive traffic

• Do not exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam

• Do not spam forms or account creation flows using automated scanners

• In case chain vulnerabilities is reported, BTSE will reward the vulnerability with the highest severity

• In cases where duplicates occur, reward will only be given to the first report with complete details

• Do not break any applicable and related Laws, breach of any will render your claim invalid

• BTSE reserves the right to cancel or amend the bounty or bounty rules at our sole discretion

• Rewards will be issued within 3 weeks after the vulnerability report is verified. You can login BTSE account -> My Wallet

• Rewards will be paid out in USDT

• BTSE will only reward the first verified report of a vulnerability; similar reports that are submitted will no longer be rewarded