Security Bounty Program

No technology is perfect. At Cryptohopper, we take the security of our users' funds and data seriously — and we appreciate every researcher who shares that commitment. We welcome all actionable reports and only pay rewards for findings that have real, demonstrable impact.

Our commitment to researchers

We want security research to be safe and worthwhile. If you follow the rules in this program, we commit to:

• oAcknowledge your report within 5 business days
• oKeep you informed as we triage and work on a fix
• oNot pursue civil or criminal action against you for security research conducted within the scope of this program
• oAsk for 30 days before you publicly disclose a finding, to give us time to fix and protect our users

We ask that you give us a fair chance to respond before going public. If we miss the 30-day window without a valid reason, we will work with you on a coordinated disclosure timeline.

What we want to hear about

To qualify for a reward, a submission must include a working proof of concept and a clear description of what an attacker could actually do. We prioritize findings in these areas:

System compromise

• oRemote Code Execution
• oSQL Injection
• oOther injection types (NoSQL, command, template injection) with a working exploit
• oXML External Entity (XXE)
• oServer-Side Request Forgery (SSRF)
• oS3 Bucket access/upload

Account and data security

• oAuthentication bypass or unauthorized data access
• oInsecure Direct Object References (IDOR) — accessing another user's data by manipulating IDs
• oSession or token flaws (session fixation, predictable tokens, JWT misuse) leading to account takeover
• oCross-Site Scripting (XSS) that can steal sessions or credentials
• oSensitive data exposure — private keys, API secrets, or PII visible in responses, JS bundles, or logs

Financial impact

Business logic flaws that allow unauthorized trading, order manipulation, or balance abuse

Cryptography

Encryption vulnerabilities

Other vulnerability types may qualify if you can demonstrate clear, real-world impact on user data, funds, or system integrity.

In-scope assets

• owww.cryptohopper.com
• oapi.cryptohopper.com
• oiOS application at Apple Store: cryptohopper-crypto-trading/id1463052050
• oAndroid application at Google Play Store: com.cryptohopper_mobile

What we do not reward

The following are out of scope. Reports in these categories will not receive a bounty and may not receive a detailed response.

Report quality

• oNo working proof of concept — we need to be able to reproduce the finding
• oOutput from automated scanners only (Burp, Nessus, Nuclei, etc.) without a manual proof of concept
• oAI-generated or templated reports that do not reflect original, verified research
• oDuplicate reports — we reward the first report we receive
• oSelf-XSS — only affects the reporter with no impact on other users
• oPreviously known vulnerable libraries without a working exploit

Scope and environment

• oTesting against assets not listed as in scope (staging environments, partner sites, third-party integrations)
• oIssues that require prior compromise of the user's device or account, unless our system is the direct enabler
• oIssues on jailbroken or rooted devices, or non-standard client configurations (custom proxies, modified apps), unless the impact is critical and realistic
• oVulnerabilities in deprecated or end-of-life products we no longer support
• oVectors requiring unpatched environments (e.g. missing OS updates) or browser versions older than 6 months
• oAttacks requiring MiTM or physical device access

Low-impact and best-practices-only

• oPublic keys from third-party integrations (e.g. exchange API public keys) — these are not secret and are not a vulnerability
• oOpen redirects without a realistic attack chain (no token theft, no meaningful phishing path)
• oClickjacking without a meaningful attack scenario
• oCSRF, including unauthenticated/login/logout CSRF
• oUser enumeration
• oBanner, version, or stack trace disclosure without a demonstrated follow-on attack
• oIP address or origin disclosure
• oMissing rate limiting without a clear abuse scenario
• oMissing best practices in SSL/TLS, DNS (DKIM/DMARC/SPF), or HTTP headers unless you can demonstrate real impact
• oMissing Subresource Integrity (SRI) without evidence the script can actually be tampered with
• oContent spoofing or text injection
• oCSV injection without a working exploit
• oAbility to create accounts or send emails without limits (no demonstrated abuse)
• oDisclosure of non-sensitive information (product versions, file paths)
• oToken leakage to trusted third parties over HTTPS
• oMissing notifications for user actions
• oDoS/DDoS

Conduct

• oPlease do not tie your report to payment demands or disclosure threats. We treat every report fairly and base rewards purely on technical merit and impact. Reports accompanied by demands or threats will not be eligible for a reward.
• oViolations of the program rules (unauthorized data access, public disclosure before fix, etc.)

How to submit

Email [email protected]. We will acknowledge your report within 5 business days.

What happens next

1. Acknowledgement — we confirm receipt within 5 business days
2. Triage — our security team reviews and reproduces the finding
3. Fix — we work on a resolution and keep you updated
4. Reward — if eligible, we discuss and pay the bounty
5. Disclosure — we ask for 30 days before any public disclosure

A good report makes it easy for our engineers to reproduce the issue and understand the impact. Please include:

1. Impact statement — what can an attacker actually do? (e.g. 'An attacker can take over any account by…')
2. Step-by-step reproduction — exact steps, requests, or a minimal script
3. Proof of concept — a working script or request sequence
4. Affected URL and parameters — full URL, filters, or fields involved
5. Screenshots or video (highly appreciated)
6. Your IP address — kept private, used to correlate with our logs

Reports that are vague, lack a clear impact, or cannot be reproduced are not eligible for a reward and may not receive a detailed reply.

Rules

Test responsibly. Only use methods necessary to find or demonstrate a vulnerability.

• oRespect other users' privacy — do not access data beyond what is strictly necessary to prove the issue
• oDo not exploit vulnerabilities for any purpose beyond your own investigation
• oDo not disclose vulnerabilities publicly or to third parties within 30 days of your report; give us time to fix before going public
• oDo not use social engineering to gain access
• oDo not install back doors, modify data, or alter the system in any way
• oDo not use brute force techniques
• oDo not perform denial-of-service testing
• oKeep access to yourself — do not share system access with others

Rewards

We appreciate all actionable reports — every genuine submission helps us protect our users. Rewards, however, are reserved for findings that have demonstrable, real-world impact. Payout is based on severity, impact, and report quality; there is no fixed minimum or maximum.

We do not pay rewards for low-impact issues, theoretical findings without a working exploit, or automated or AI-generated reports.

To be eligible, you must reside in a country not subject to applicable sanctions (e.g. Cuba, Iran, North Korea, Sudan, Syria). This is a discretionary program — Cryptohopper reserves the right to cancel it or decline to pay a reward at any time.

A few things to keep in mind:

• oWhen duplicates occur, only the first report received is rewarded
• oMultiple vulnerabilities from a single root cause are treated as one finding
• oRewards may be monetary or in the form of a Cryptohopper subscription, at our discretion
• oMonetary rewards are paid via PayPal (worldwide) or bank transfer (EU only)