Bug bounty

BTSE Bug Bounty Program: Program info

BTSE Bug Bounty Program

Company: BTSE
This program is active now
Program infoHackers (65)

The BTSE bug bounty program offers rewards to security researchers and enthusiasts who help us identify and resolve potential vulnerabilities within the BTSE system.

In scope
TargetTypeSeverityReward
https://www.btse.com

https://www.btse.com

Web
Critical
Bounty
https://api.btse.com

https://api.btse.com

API
Critical
Bounty
https://play.google.com/store/apps/details?id=com.btse.finance

https://play.google.com/store/apps/details?id=com.btse.finance

Android
Critical
Bounty
https://apps.apple.com/ng/app/btse/id1494556510

https://apps.apple.com/ng/app/btse/id1494556510

iOS
Critical
Bounty
Target
https://www.btse.com

https://www.btse.com

TypeWeb
Severity
Critical
RewardBounty
Target
https://api.btse.com

https://api.btse.com

TypeAPI
Severity
Critical
RewardBounty
Target
https://play.google.com/store/apps/details?id=com.btse.finance

https://play.google.com/store/apps/details?id=com.btse.finance

TypeAndroid
Severity
Critical
RewardBounty
Target
https://apps.apple.com/ng/app/btse/id1494556510

https://apps.apple.com/ng/app/btse/id1494556510

TypeiOS
Severity
Critical
RewardBounty
Out of scope
TargetTypeSeverityReward
https://support.btse.com
Web
None
Bounty
https://blog.btse.com
Web
None
Bounty
Target
https://support.btse.com
TypeWeb
Severity
None
RewardBounty
Target
https://blog.btse.com
TypeWeb
Severity
None
RewardBounty

Ineligible Issues (Issues considered as out of scope)

• Theoretical vulnerabilities without actual proof of concept

• Email verification deficiencies, expiration of password reset links, and password complexity policies

• Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)

• Clickjacking/UI redressing with minimal security impact

• Email or mobile enumeration (E.g. the ability to identify emails via password reset)

• Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)

• Internally known issues, duplicate issues, or issues which have already been made public

• Tab-nabbing

• Self-XSS

• Vulnerabilities only exploitable on out-of-date browsers or platforms

• Vulnerabilities related to auto-fill web forms

• Use of known vulnerable libraries without actual proof of concept

• Issues related to unsafe SSL/TLS cipher suites or protocol version

• Content spoofing

• Cache-control related issues

• Exposure of internal IP address or domains

• Missing security headers that do not lead to direct exploitation

• CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)

• Vulnerabilities that require physical access to a user's device

• Issues that have no security impact (E.g. Failure to load a web page)

• Any activity (like DoS/DDoS) that disrupts our services

• Reports from automated tools or scans

Disclosure Policy and Program Rules

• Provide our Technical Support team reasonable turnaround time to resolve the issue before any public or third-party disclosure

• Do not compromise any personal data, avoid interruptions or degradation of any service; Never access or modify other users’ data; Localize all tests to your personal accounts only

• Ensure all efforts taken shall not damage or restrict the availability of BTSE’s products, services or infrastructure

• Any and all details of found vulnerabilities must only be communicated to the BTSE Team and its Management

• Testing may be done through https://testnet.btse.io and should not be done on https://www.btse.com at any given time

• Only vulnerability reports with detailed, reproducible steps, and PoC video will be eligible for a reward

• Avoid using web application scanners for automatic vulnerability searches which generates massive traffic

• Do not exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam

• Do not spam forms or account creation flows using automated scanners

• In case chain vulnerabilities is reported, BTSE will reward the vulnerability with the highest severity

• In cases where duplicates occur, reward will only be given to the first report with complete details

• Do not break any applicable and related Laws, breach of any will render your claim invalid

Terms

• BTSE reserves the right to cancel or amend the bounty or bounty rules at our sole discretion

• Rewards will be issued within 3 weeks after the vulnerability report is verified. You can login BTSE account -> My Wallet

• Rewards will be paid out in USDT

• BTSE will only reward the first verified report of a vulnerability; similar reports that are submitted will no longer be rewarded

Rewards
Range of bounty$100 - $1,000
Severity
Critical
$700 - $1,000
High
$500 - $700
Medium
$300 - $500
Low
$100 - $300
Stats
Total rewards$2,900
Submissions206
Types
appsWeb
Platforms
IOSAndroid
Project types
CEX
Hackers (65) View all
Rk Thakur 🇳🇵
1
Sabuhi Ismayilov
2
Tushar Sharma
3
Rutvik kalkumbe
5
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response3d
Triage Time7d
Reward Time7d
Resolution Time30d