Security

Vulnerability Disclosure Policy

Guidelines for security researchers participating in our bug bounty program. We value your contributions to keeping Rapidtrade secure.

Report a Vulnerability security.txt

Safe Harbor

Rapidtrade will not pursue legal action against security researchers who comply with the following guidelines:

Good Faith Testing

Conduct testing in good faith to identify and report vulnerabilities without causing harm to users or systems.

No Data Access

Do not access, modify, delete, or exfiltrate user data. If you accidentally access user data, stop immediately and report.

No Service Disruption

Avoid actions that could degrade service performance, availability, or integrity for other users.

Timely Reporting

Report vulnerabilities promptly through our official channels. Do not exploit vulnerabilities beyond proof of concept.

Coordinated Disclosure

Allow 90 days for remediation before public disclosure. Work with us on coordinated disclosure timing.

Single Account

Use only accounts you own or have explicit permission to test. Do not attempt to access other users' accounts.

Legal Authorization: This policy constitutes authorization to conduct security research under the Computer Fraud and Abuse Act (CFAA) and provides safe harbor under the Digital Millennium Copyright Act (DMCA) §1201(j). We will not pursue legal action against researchers who act in good faith pursuant to this policy.

Our Commitments

Rapid Response

✓Acknowledge receipt within 24 hours
✓Provide initial assessment within 72 hours
✓Keep you informed of remediation progress
✓Notify you when issues are resolved

Fair Compensation

✓Pay bounties within 14 days of validation
✓Determine payouts based on impact and quality
✓Offer bonuses for exceptional reports
✓Never reduce bounties for duplicate reports

Recognition

✓Credit in our Hall of Fame (with permission)
✓Annual security researcher appreciation
✓References for employment (on request)
✓Early access to new security features

Legal Protection

✓No legal action for good faith research
✓DMCA safe harbor for security research
✓CFAA safe harbor provisions
✓Written authorization available on request

Testing Guidelines

Allowed

✓Testing against your own accounts
✓Manual testing and analysis
✓Reviewing client-side JavaScript
✓Testing API endpoints with your credentials
✓Using automated scanners with rate limiting
✓Social engineering against yourself

Not Allowed

×Denial of service attacks
×Automated high-volume scanning
×Physical security testing
×Social engineering against employees
×Testing against other users' data
×Exploiting vulnerabilities in production

Program Scope

Web Applications

rapidtrade.orgHigh

app.rapidtrade.orgCritical

staging.rapidtrade.orgMedium

beta.rapidtrade.orgMedium

APIs

api.rapidtrade.org/v3/*Critical

api.rapidtrade.org/v2/*High

ws.rapidtrade.orgCritical

auth.rapidtrade.orgCritical

Mobile Apps

iOS App (App Store)High

Android App (Play Store)High

iOS TestFlightMedium

Android BetaMedium

Smart Contracts

Verified contracts on EthereumCritical

Verified contracts on SolanaCritical

Bridge contractsCritical

Staking contractsHigh

Exclusions

The following issues are generally not eligible for bounty rewards:

×Self-XSS without clear attack vector

×Missing security headers without impact

×CSRF on non-sensitive actions

×Clickjacking without sensitive actions

×Rate limiting on non-auth endpoints

×Password complexity requirements

×Email enumeration

×SSL/TLS configuration issues

×SPF/DKIM/DMARC issues

×Username/email enumeration

×Missing cookie flags on non-sensitive cookies

×Theoretical vulnerabilities without PoC