Security Bounty Program

• Unlimited account creation without security impact
• Actions available outside the UI with no identified security risk
• Denial-of-service (DoS) attacks or service disruption
• Attacks requiring man-in-the-middle or physical device access
• Clickjacking, content spoofing, or text injection
• CSV injection without demonstrated impact
• Non-sensitive information disclosure (version numbers, stack traces, file paths)
• Leaking tokens to trusted third parties over HTTPS
• SSL/TLS, DNS, or HTTP header best-practice gaps without exploitable vulnerability
• Missing action notifications without security impact
• Known vulnerable libraries without a working proof of concept
• Automated scanner or crash-dump reports without a working PoC
• Unauthenticated, login, or logout CSRF
• User enumeration or missing rate limiting
• Vectors requiring unpatched software or outdated browsers (6+ months old)

Send your findings by email to security-bounty@cryptorobot.ai . Please describe the issue clearly and include the following:

• 1A clear description of the vulnerability discovered
• 2Step-by-step reproduction instructions
• 3The full URL and any objects (filters, input fields) involved
• 4Screenshots or screen recordings where applicable
• 5Your IP address (kept confidential, used only to correlate testing activity in our logs)

Please be as detailed as possible — your report will be reviewed by our security specialists. Clear explanations and working proof-of-concept code significantly increase the likelihood of a reward.

Please act responsibly and exercise extreme care throughout your investigation. Only use methods strictly necessary to identify or demonstrate a vulnerability.

• Practice ethical hacking — always respect other users' privacy
• Do not exploit discovered vulnerabilities beyond what is needed for your investigation
• Do not share findings with third parties — give us reasonable time to resolve issues before any public disclosure
• Do not use social engineering tactics to gain system access
• Never install backdoors — they compromise system security regardless of intent
• Do not modify or delete data — copy only the minimum needed and never go beyond a single record if that suffices
• Only infiltrate systems when absolutely necessary, and never share access with others
• Avoid brute-force techniques such as repeated password attempts
• Ensure your own systems are secured to the highest standard

Our reward system is flexible — there is no fixed minimum or maximum. Bounties are determined by the severity of the vulnerability, its potential impact, and the quality of your report. To be eligible for a reward your country of residence must not appear on any applicable sanctions list.

Additional considerations:

• For duplicate reports, only the earliest submission is rewarded
• Multiple vulnerabilities stemming from a single root cause receive one bounty
• Our team must be able to reproduce the issue from your report — vague submissions are not eligible
• Reports with clear write-ups and working proof-of-concept code are far more likely to earn a reward

This is a discretionary program. cryptorobot.ai reserves the right to modify or discontinue it at any time. The decision to issue a reward is at our sole discretion.