Rapidtrade

Bug Bounty

Report a Vulnerability

Help us keep Rapidtrade secure. We reward security researchers who responsibly disclose vulnerabilities.

Bounty Rewards

CriticalCVSS 9.0 - 10.0
$50,000 - $250,000
Remote code execution on production systemsPrivate key or seed phrase exfiltrationUnauthorized fund transfersSmart contract vulnerabilities affecting user fundsAuthentication bypass on trading systemsFull database compromise
HighCVSS 7.0 - 8.9
$10,000 - $50,000
SQL injection with data exfiltrationPrivilege escalation to adminSensitive data exposure (PII, financial data)SSRF with significant impactBroken authentication mechanismsServer-side request forgery
MediumCVSS 4.0 - 6.9
$2,500 - $10,000
Stored cross-site scripting (XSS)CSRF on sensitive actionsIDOR with meaningful impactInformation disclosureOAuth/OpenID misconfigurationsSession fixation
LowCVSS 0.1 - 3.9
$500 - $2,500
Reflected XSSMinor information leakageSecurity header misconfigurationsRate limiting bypassVerbose error messagesMissing best practices

In Scope

rapidtrade.orgWeb Application

All pages and functionality

*.rapidtrade.orgSubdomains

Including staging and beta

api.rapidtrade.orgREST API

v2 and v3 endpoints

ws.rapidtrade.orgWebSocket

Real-time feeds

iOS AppMobile

Latest App Store version

Android AppMobile

Latest Play Store version

Smart ContractsBlockchain

Verified contracts only

Out of Scope

  • ×Third-party services and integrations
  • ×Social engineering attacks on employees
  • ×Physical security attacks
  • ×Denial of service (DoS/DDoS) attacks
  • ×Automated scanning without prior approval
  • ×Vulnerabilities in outdated browsers
  • ×Recently disclosed 0-days (< 30 days)
  • ×Attacks requiring MITM or physical access to user device

Submit a Report

Provide as much detail as possible. The more information you include, the faster we can validate and reward.

By submitting, you agree to our vulnerability disclosure policy.

Encrypted Reports

For sensitive disclosures, encrypt your report with our PGP key.

Fingerprint:

4A7B 9C3D E5F1 2468 ACE0...
Download full key

Response Timeline

  • 24 hours: Initial acknowledgment
  • 72 hours: Severity assessment
  • 14 days: Bounty payment (if valid)
  • 90 days: Coordinated disclosure

Recognition

Valid reports earn a spot in our Hall of Fame (with your permission).

View Hall of Fame

Other Channels

Email: security@rapidtrade.org

HackerOne: rapidtrade