BTCSquare Bug Bounty Program

To eliminate the system vulnerabilities and further improve the exchange functions and services of BTCsquare, we decided to launch a bug bounty program to all cybersecurity researchers.
To receive the reward, we suggest you to create an account on BTCsquare where it will be deposited. All rewards are paid in PLURA crypto currency.
Only reports with detailed description of the vulnerability and complete working proof of concept are qualified for the rewards.


Reward Range

Level of Severity and Reward Range

L1: 300 USD equal valued PLURA
-Vulnerabilities that undermine users assets security
-Vulnerabilities that bypass the applications or procedures under normal trading logic
-Vulnerabilities that could remotely access basic information and authentication information of users.
-Vulnerabilities that leak the unencrypted private keys and key seed of users

L2: 150 USD equal valued PLURA
-Vulnerabilities that lead to high-risk information leakage
-Vulnerabilities that cause BTCsquare to be unable to respond to the API requests of users.

L3: 50 USD equal valued PLURA
-Vulnerabilities that lead to the leakage of part of the users info through interaction or financial fraud
-Vulnerabilities that cause BTCsquare to be unable to respond to users’ requests from web or mobile sides.

L4: 20 USD equal valued PLURA
-Vulnerabilities due to product design defects but have no effect on the security of users assets.
-Vulnerabilities that affect the stability or availability of the Web wallet

Prohibited actions:
- you can't test the system through accounts of other users
- using scanners for automated testing
- generating too much request attempts

The following issues are not qualified for the reward:
-Content spoofing
-Issues related to cache control
-Lack of security headers that do not lead to direct exploitation
-CSRF with negligible security impact (e.g.: added to favorites, and subscribe non-vital features)
-Issues related to unsafe SSL/TLS cipher suites or protocol version
-Vulnerabilities that require root/jailbreak
-Vulnerabilities that require physical access to the device of users
-Issues with no security impact (e.g.: failure to load a web page)
-Assets not belonging to BTCsquare
-Phishing (e.g.: HTTP basic authentication phishing)
-Theoretical vulnerabilities without actual proof of the concept
-Email verification defects, expiration of password reset links, and password complexity policies
-Vulnerabilities exposing internal IP addresses or domains
-Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
-Clickjacking/UI redressing with minimal security impact
-Email or mobile enumeration (e.g.: the ability to identify emails through password resetting)
-Information leakage with minimal security impact (e.g: stack traces, path disclosure, directory listings, logs)
-Internally known issues, recurring issues, or issues already published
-Vulnerabilities only applicable on outdated versions of browsers or platforms
-Vulnerabilities related to auto-fill web forms
-Use of vulnerable libraries already known without actual proof of concept
-Lack of security flags in cookies

Terms & Conditions
(1) We reserve the right to the final explanation of the bounty program.
(2) Only the first vulnerability report should receive the reward.
(3) For those who stealing private data or assets of BTCsquare users we will pursue legal responsibilities.
(4) Reward will be paid in PLURA to your BTCsquare registered account.
(5) Reviewing reports can take 2-3 weeks

If you have any questions, please contact us: Customer Support.