The BTSE bug bounty program offers rewards to security researchers and enthusiasts who help us identify and resolve potential vulnerabilities within the BTSE system.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
https://www.btse.com |
Web | Critical | Bounty |
https://api.btse.com |
API | Critical | Bounty |
https://play.google.com/store/apps/details?id=com.btse.financehttps://play.google.com/store/apps/details?id=com.btse.finance |
Android | Critical | Bounty |
https://apps.apple.com/ng/app/btse/id1494556510 |
iOS | Critical | Bounty |
Out of scope
| Target | Type | Severity |
|---|---|---|
https://support.btse.com |
Web | None |
https://blog.btse.com |
Web | None |
• Theoretical vulnerabilities without actual proof of concept
• Email verification deficiencies, expiration of password reset links, and password complexity policies
• Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
• Clickjacking/UI redressing with minimal security impact
• Email or mobile enumeration (E.g. the ability to identify emails via password reset)
• Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
• Internally known issues, duplicate issues, or issues which have already been made public
• Tab-nabbing
• Self-XSS
• Vulnerabilities only exploitable on out-of-date browsers or platforms
• Vulnerabilities related to auto-fill web forms
• Use of known vulnerable libraries without actual proof of concept
• Issues related to unsafe SSL/TLS cipher suites or protocol version
• Content spoofing
• Cache-control related issues
• Exposure of internal IP address or domains
• Missing security headers that do not lead to direct exploitation
• CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)
• Vulnerabilities that require physical access to a user's device
• Issues that have no security impact (E.g. Failure to load a web page)
• Any activity (like DoS/DDoS) that disrupts our services
• Reports from automated tools or scans
• Provide our Technical Support team reasonable turnaround time to resolve the issue before any public or third-party disclosure
• Do not compromise any personal data, avoid interruptions or degradation of any service; Never access or modify other users’ data; Localize all tests to your personal accounts only
• Ensure all efforts taken shall not damage or restrict the availability of BTSE’s products, services or infrastructure
• Any and all details of found vulnerabilities must only be communicated to the BTSE Team and its Management
• Testing may be done through https://testnet.btse.io and should not be done on https://www.btse.com at any given time
• Only vulnerability reports with detailed, reproducible steps, and PoC video will be eligible for a reward
• Avoid using web application scanners for automatic vulnerability searches which generates massive traffic
• Do not exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
• Do not spam forms or account creation flows using automated scanners
• In case chain vulnerabilities is reported, BTSE will reward the vulnerability with the highest severity
• In cases where duplicates occur, reward will only be given to the first report with complete details
• Do not break any applicable and related Laws, breach of any will render your claim invalid
• BTSE reserves the right to cancel or amend the bounty or bounty rules at our sole discretion
• Rewards will be issued within 3 weeks after the vulnerability report is verified. You can login BTSE account -> My Wallet
• Rewards will be paid out in USDT
• BTSE will only reward the first verified report of a vulnerability; similar reports that are submitted will no longer be rewarded