BTC Markets Bug Bounty Policy

Security is a top priority for us, and we take it very seriously. We put a lot of effort into our trading platform, infrastructure, and processes to ensure that BTC Markets is safe and secure for our customers. We also put a lot of effort in ensuring the security of our customer’s data. However, in case you are able to discover any security vulnerability, we would appreciate your help in responsibly reporting the issue to us so that we can investigate and address it as soon as possible.

Reward Evaluation

We will award an amount in one of our listed assets on a case by case basis depending on the severity of the issue. Please note that we only award one bounty per bug.

Program Rules

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Don’t violate customers privacy, destroy data, or disrupt or degradation of our service. Only interact with accounts you own or with explicit, written permission of the account holder that you can provide to BTC Markets. Otherwise your actions might be interpreted as an attack rather than an effort to be helpful.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

Eligible bounties

Any design or implementation issue that results in the loss/compromise of data or money for BTC Market or any of its customers. The most common examples are:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF)
  • Authentication or authorization flaws
  • Remote code execution
  • Click jacking
  • Code injection
  • Leaks of sensitive data

Issues that aren't eligible for reward

We cannot reward bounties for issues that are outside of our direct control, such as:

  • Issues on sites hosted by third parties unless they lead to a vulnerability on the main website.
  • Issues on BTC Markets social media and blog pages
  • Issues contingent on physical attack, social engineering, spamming, DDOS attack, etc.
  • Issues affecting outdated or unpatched browsers.
  • Issues in third party applications that make use of BTC Market’s API.
  • Issues that have not been responsibly investigated and reported.
  • Issues that aren't reproducible.
  • Issues that we can't reasonably be expected to do anything about.

Submitting an issue

  • Submit your issue report through our support page. Submissions must be made in English.
  • Try to include as much information in your report as you can, including a description of the issue, its potential impact, and steps for reproducing it or proof of concept.
  • Prior to claiming your reward, BTC Markets will complete an ID verification check