BTSE Bug Bounty Program

At BTSE, security of our user’s is our top priority. The BTSE bug bounty program offers rewards to security researchers and enthusiasts who help us identify and resolve potential vulnerabilities within the BTSE system. The program aims to improve BTSE’s security by leveraging on crowdsourced participation and rewarding duly verified potential security threats.


All verified reports found with Low to Critical severity after review will receive a corresponding reward. Please see table below for reference:

 

Vulnerability Severity and Rewards Table


Severity (CVSSv3)

Reward

Critical

$700 - $1,000

High

$500 - $700

Medium

$300 - $500

Low

$100 - $300



Scope - In Scope Targets


Type

Target

BTSE Platform

https://www.btse.com

BTSE API

https://api.btse.com

Android Mobile App

https://play.google.com/store/apps/details?id=com.btse.finance

iOS Mobile App

https://apps.apple.com/ng/app/btse/id1494556510


Please submit all security reports at: https://support.btse.com/en/support/tickets/new


Scope - Out of Scope Targets


Type

Target

BTSE Support

https://support.btse.com



Ineligible Issues (Issues considered as out of scope)

•    Theoretical vulnerabilities without actual proof of concept

•    Email verification deficiencies, expiration of password reset links, and password complexity policies

•    Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)

•    Clickjacking/UI redressing with minimal security impact

•    Email or mobile enumeration (E.g. the ability to identify emails via password reset)

•    Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)

•    Internally known issues, duplicate issues, or issues which have already been made public

•    Tab-nabbing

•    Self-XSS

•    Vulnerabilities only exploitable on out-of-date browsers or platforms

•    Vulnerabilities related to auto-fill web forms

•    Use of known vulnerable libraries without actual proof of concept

•    Issues related to unsafe SSL/TLS cipher suites or protocol version

•    Content spoofing

•    Cache-control related issues

•    Exposure of internal IP address or domains

•    Missing security headers that do not lead to direct exploitation

•    CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)

•    Vulnerabilities that require physical access to a user's device

•    Issues that have no security impact (E.g. Failure to load a web page)

•    Any activity (like DoS/DDoS) that disrupts our services

•    Reports from automated tools or scans


Disclosure Policy and Program Rules

•    Submit your discovered potential security issue as soon as possible to BTSE’s Customer Support for immediate resolution

•   Provide our Technical Support team reasonable turnaround time to resolve the issue before any public or third-party disclosure 

•   Do not compromise any personal data, avoid interruptions or degradation of any service; Never access or modify other users’ data; Localize all tests to your personal accounts only

•   Ensure all efforts taken shall not damage or restrict the availability of BTSE’s products, services or infrastructure

•   Any and all details of found vulnerabilities must only be communicated to the BTSE Team and its Management

•   Testing may be done through https://testnet.btse.io and should not be done on https://www.btse.com  at any given time

•   Only vulnerability reports with detailed and reproducible steps will be eligible for a reward

•   Avoid using web application scanners for automatic vulnerability searches which generates massive traffic

•   Do not exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam

•   Do not spam forms or account creation flows using automated scanners

•   In case chain vulnerabilities is reported, BTSE will reward the vulnerability with the highest severity

•   In cases where duplicates occur, reward will only be given to the first report with complete details

•   Do not break any applicable and related Laws, breach of any will render your claim invalid


Terms

•   BTSE reserves the right to cancel or amend the bounty or bounty rules at our sole discretion

•   Rewards will be issued within 3 weeks after the vulnerability report is verified. You can login BTSE account -> My Wallet

•   Rewards will be paid out in USDT

•   BTSE will only reward the first verified report of a vulnerability; similar reports that are submitted will no longer be rewarded