Binance

  • $200 – $100,000 per vulnerability
  • Managed by Bugcrowd

Program stats

25 vulnerabilities rewarded

Validation within about 12 hours
75% of submissions are accepted or rejected within about 12 hours

Latest hall of famers

Recently joined this program

246 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

About:

Binance is the number one cryptocurrency exchange, operating in many places throughout the world. Specializing in crypto-to-crypto transactions, we provide access to hundreds of digital currency pairs. As a leading exchange platform, we prioritize security, liquidity, and speed, while maintaining some of the lowest fees in the industry at 0.1% per trade (or 0.05% by using our BNB coin). We strive to give our users the best experience possible, also providing access to some of the latest blockchain/DLT technologies available, with new cryptocurrencies being listed frequently.

Binance stands for “Binary Finance”, integrating digital technology with finance. Just as the name suggests, we are digital currency enthusiasts, with more than 20 years of combined finance, security, and development experience at top exchange platforms and companies including the Tokyo Stock Exchange, Morgan Stanley, Accenture, and other Top 100 companies from all over the world.

Policy:

At Binance, the security of our users is our number one priority. As such, we strive to provide the most secure platform possible. We will evaluate reported security issues based on the security impact to our users and the Binance ecosystem.

This bounty brief describes the rules of the Binance bug bounty program, as well as the eligibility of vulnerabilities and the rewards.


Rewards/Ratings:

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Rewards will be paid out in BNB (Binance Coin). Once your submission is accepted the Binance team will ask for your email address associated with your wallet to send your payment. To receive the payment, we suggest researchers create a separate private Binance account. Prices will change with the cryptocurrency markets and the dollar amount listed below could change.

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.

*Binance is eager to work with the community to make sure that every researcher's finding is rewarded fairly - based on the vulnerability's impact on business and overall severity. To this end, it is possible that extraordinarily severe issues or those with extreme impact may be rewarded up to $100,000.

Binance may award an additional reward bonus for exceptional reports. This will be done at Binance's discretion .

Reward Range

Last updated 2018-08-01 04:26:28 UTC
Technical severity Reward range
p1 Critical $5,000 - $10,000
p2 Severe $2,500 - $5,000
p3 Moderate $600 - $1,500
p4 Low $200 - $600
P5 submissions do not receive any rewards for this program.

Targets

In scope

Out of scope

Any domain/property of Binance not listed in the targets section is out of scope.

Target Information:

Windows: Here
macOS: Here
iOS: Here
Android: Here
API Documentation: Here

Access:

Researchers are encouraged to self-provision accounts as needed; when doing so, please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

Actions to avoid:

  • Testing on accounts other than those that you own
  • Automated testing using tools such as scanners
  • Excessive request attempts
  • Destruction of data

Ineligible issues:

  • Theoretical vulnerabilities without actual proof of concept
  • Email verification deficiencies, expiration of password reset links, and password complexity policies
  • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
  • Clickjacking/UI redressing with minimal security impact
  • Email enumeration - For example, the ability to identify emails via password reset.
  • Information disclosure with minimal security impact (stack traces, path disclosure, directory listings)
  • Internally known issues, duplicate issues, or issues which have already been made public
  • Tab-nabbing
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Vulnerabilities related to auto-fill web forms
  • Use of known vulnerable libraries without actual proof of concept
  • Lack of security flags in cookies
  • Issues related to unsafe SSL/TLS cipher suites or protocol version
  • Content spoofing
  • Cache-control related issues
  • Missing security headers that do not lead to direct exploitation
  • CSRF with negligible security impact
  • Vulnerabilities that require root/jailbreak
  • Vulnerabilities that require physical access to a user's device

Non-security related issues:

Please submit a request ticket at https://support.binance.com/hc/en-us.

Thank you for your efforts in helping keep Binance and its users safe!

Program Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.