Binance

  • $200 – $10,000 per vulnerability
  • Up to $100,000 maximum reward
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

153 vulnerabilities rewarded

Validation within about 8 hours
75% of submissions are accepted or rejected within about 8 hours

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

About:

Binance is the number one cryptocurrency exchange, operating in many places throughout the world. Specializing in crypto-to-crypto transactions, we provide access to hundreds of digital currency pairs. As a leading exchange platform, we prioritize security, liquidity, and speed, while maintaining some of the lowest fees in the industry. We strive to give our users the best experience possible, also providing access to some of the latest blockchain/DLT technologies available, with new cryptocurrencies being listed frequently.

Binance stands for “Binary Finance”, integrating digital technology with finance. Just as the name suggests, we are digital currency enthusiasts, with more than 20 years of combined finance, security, and development experience at top exchange platforms and companies including the Tokyo Stock Exchange, Morgan Stanley, Accenture, and other Top 100 companies from all over the world.

Policy:

At Binance, the security of our users is our number one priority. As such, we strive to provide the most secure platform possible. We will evaluate reported security issues based on the security impact to our users and the Binance ecosystem.

This bounty brief describes the rules of the Binance bug bounty program, as well as the eligibility of vulnerabilities and the rewards.


Rewards/Ratings:

This program takes reference from the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. Prioritization/ratings may vary from the Bugcrowd Vulnerability Rating Taxonomy.

Rewards will be paid out in BNB.

Once your submission is accepted, please provide either of the following to receive your reward.

  • email address registered on Binance
  • your BNB wallet address

We suggest researchers create a separate private Binance account, or a BNB wallet.

*Prices will change with the cryptocurrency markets and the dollar amount listed below could change.

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.

*Binance is eager to work with the community to make sure that every researcher's finding is rewarded fairly - based on the vulnerability's impact on business and overall severity. To this end, it is possible that extraordinarily severe issues or those with extreme impact may be rewarded up to $100,000.

Binance may award an additional reward bonus for exceptional reports. This will be done at Binance's discretion .

Reward range

Last updated

Technical severity Reward range
p1 Critical $5,000 - $10,000
p2 Severe $1,500 - $5,000
p3 Moderate $600 - $1,500
p4 Low $200 - $600
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type Tags
*.binance.com Website Testing
  • AWS
  • ReactJS
  • NodeJS
  • Amazon Cloudfront
  • Website Testing
api.binance.com API Testing
  • Cryptocurrency
  • API Testing
  • HTTP
*.binance.org Website Testing
  • ReactJS
  • AWS
  • NodeJS
  • Amazon Cloudfront
  • Website Testing
*dex.binance.org API Testing
  • Cryptocurrency
  • API Testing
  • HTTP
Binance Chain Other
  • Cryptocurrency
binance.sg Website Testing
  • ReactJS
  • NodeJS
  • Cryptocurrency
  • Website Testing
binance.us Website Testing
  • AWS
  • ReactJS
  • NodeJS
  • UIKit
  • Amazon Cloudfront
  • Cryptocurrency
  • Website Testing
Binance Mobile Application for Android Android
  • Cryptocurrency
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Binance Mobile Application for iOS iOS
  • Cryptocurrency
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Binance Desktop Application Other
  • Desktop Application Testing
  • Cryptocurrency
Binance macOS Application Other
  • macOS
  • Cryptocurrency
https://github.com/binance-chain/tss-lib Other
  • Cryptography
  • Cryptocurrency
https://github.com/binance-chain/bep3-smartcontracts Other
  • Cryptocurrency
https://github.com/binance-chain/bep3-deputy Other
  • Cryptocurrency
https://github.com/binance-chain/ledger-app-binance Other
  • Cryptocurrency
Trustwallet Android App Android
Trustwallet iOS App iOS
https://github.com/trustwallet/wallet-core/ Other
Binance Smart Chain Other
https://github.com/binance-chain/bsc-genesis-contract Other
https://github.com/binance-chain/bsc-relayer Other
https://github.com/binance-chain/oracle-relayer Other
https://github.com/binance-chain/bsc Other

Out of scope

Target name Type
support.binance.* Website Testing
community.binance.org Website Testing
*.trustwallet.com Website Testing
*.trustwalletapp.com Website Testing

Any domain/property of Binance not listed in the targets section is out of scope.

Target Information:

Binance

Primary Targets - Eligible for bounty from P4 and above

*.binance.com (with exceptions, refer to Secondary Targets)
api.binance.com
binance.us
*.binance.org
*dex.binance.org
Binance Chain
Binance Chain Documentation
Binance Chain Github repositories in scope
Binance Smart Chain
Binance Smart Chain Github repositories in scope
Binance Mobile Application for Android
Binance Mobile Application for iOS
Binance Desktop Application
Binance macOS Application

Secondary Targets - Eligible for bounty for P1 and P2. P3 and P4 will be points only

academy.binance.com
info.binance.com
binance.sg

For Bugs Affecting Multiple Binance Exchanges
If an issue reported for one of our exchanges (e.g. binance.com) affects any of our other exchanges (e.g. binance.je), and shares the same root cause, it will be treated as a single issue. Please do not report the same exact bug multiple times.

Binance resources

Windows : Here
macOS : Here
iOS : Here
Android : Here
API Documentation : Here

Binance Chain & Smart Chain and DEX resources

Binance Chain Documentation : Here


Binance Chain & Smart Chain Vulnerability Classifications

P1:

  • Vulnerabilities that could undermine the safety of any user or validator's fund/fee
  • Subversion of the DEX trading logic
  • Vulnerabilities that could severely undermine trading or token economy
  • Remote Code Execution on any Binance Chain/Smart Chain node, such as Validator nodes, Witness nodes, or Seed nodes
  • Vulnerabilities related to key generation, encryption, decryption, signing and verification
  • Vulnerabilities that could disrupt the Binance Chain governance
  • Remote leaks of unencrypted private keys / mnemonic / key seed
  • Transaction origin spoofing or transaction malleability
  • Merkle proof validation vulnerabilities
  • Validator selection set manipulation

P2:

  • Denial of service of any Binance Chain validator node
  • Vulnerabilities that could undermine or disrupt trading or token economy
  • Vulnerabilities that could disrupt the Validator consensus result and performance
  • Vulnerabilities that could cause the Accelerated Node to be unable to respond with user queries on orders, transactions, balances, market depth
  • Access of disabled channels for cross chain communication
  • Denial of service of cross chain communication

P3:

  • Denial of service of Web Wallet usage
  • Denial of service of the Binance Chain & Smart Chain Explorer
  • Denial of service of seed and/or data seed nodes.
  • Denial of service for BSC Relayers / Oracle Relayers

P4:

  • Vulnerabilities that could affect the stability or availability of Binance Chain / DEX / Explorer
  • Vulnerabilities that could affect the stability or availability of the Web Wallet

For non-security related issues, you can ask questions and give feedback here .


Binance Chain & Smart Chain Github Vulnerability Classifications

In Scope:

https://github.com/binance-chain/tss-lib
https://github.com/binance-chain/bep3-smartcontracts
https://github.com/binance-chain/bep3-deputy
https://github.com/binance-chain/ledger-app-binance

https://github.com/binance-chain/bsc-genesis-contract
https://github.com/binance-chain/bsc-relayer
https://github.com/binance-chain/oracle-relayer
https://github.com/binance-chain/bsc

P1:

Vulnerabilities that could undermine the fund safety of any user or business runner, including:

  • Vulnerabilities that could expose private keys or any other sensitive secrets
  • vulnerabilities that could allow unfair trading, swapping, exchange, or any economic practice that results in loss of funds
  • Vulnerabilities impacting the system, human governance or judgement that could cause significant economic unfairness or loss of funds

P2:

  • Vulnerabilities with similar impact as P1 vulnerabilities, but are dependent on specific prerequisites

P3:

  • Denial of service of critical functions

P4:

  • Denial of service of non-critical functions

Trustwallet Vulnerability Classifications

In scope:

Trustwallet Android app
Trustwallet iOS app
Trustwallet walletcore

Out of scope:

*.trustwallet.com
*.trustwalletapp.com

Examples of issues that we are looking for:

  • Vulnerabilities that can cause a loss of user funds/assets remotely
  • Vulnerabilities that can cause exposure of private keys or mnemonic seed phrase remotely
  • Vulnerabilities in chain-related implementations
  • Denial of service of the wallet app
  • Remote code execution
  • Insecure cryptographic implementation for sensitive functions such as wallet generation, transaction signing etc.
  • Lock screen bypass

Ineligible issues:

  • Vulnerabilities that require root/jailbreak to exploit (points only if a change is made)
  • 3rd party library dependencies
  • Address bar spoofing in dapp browser
  • Web vulnerabilities for *.trustwallet.com and *.trustwalletapp.com
  • Issues related to TWT referral

Access:

Researchers are encouraged to self-provision accounts as needed; when doing so, please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.


Actions to avoid:

  • Testing on accounts other than those that you own
  • Automated testing using tools such as scanners
  • Excessive request attempts that affects the availability of our services to all users
  • Destruction of data

Ineligible issues (Will be closed as out of scope):

  • Theoretical vulnerabilities without actual proof of concept
  • Email verification deficiencies, expiration of password reset links, and password complexity policies
  • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
  • Clickjacking/UI redressing with minimal security impact
  • Email or mobile enumeration (E.g. the ability to identify emails via password reset)
  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
  • Internally known issues, duplicate issues, or issues which have already been made public
  • Tab-nabbing
  • Self-XSS
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Vulnerabilities related to auto-fill web forms
  • Use of known vulnerable libraries without actual proof of concept
  • Lack of security flags in cookies
  • Issues related to unsafe SSL/TLS cipher suites or protocol version
  • Content spoofing
  • Cache-control related issues
  • Exposure of internal IP address or domains
  • Missing security headers that do not lead to direct exploitation
  • CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)
  • Vulnerabilities that require root/jailbreak
  • Vulnerabilities that require physical access to a user's device
  • Issues that have no security impact (E.g. Failure to load a web page)
  • Assets that do not belong to Binance
  • Phishing (E.g. HTTP Basic Authentication Phishing)
  • Any activity (like DoS/DDoS) that disrupts our services
  • Installation Path Permissions
  • Reports from automated tools or scans

For security issues related to cryptocurrencies and their components:

If you have found a security issue that directly affects a cryptocurrency and/or its components (e.g. blockchain, node, wallet), please ensure that you report it directly to the respective project team.


Non-security related issues:

Please submit a request ticket at https://support.binance.com/hc/en-us.

Thank you for your efforts in helping keep Binance and its users safe!

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.