Bitfinex
bug bounty
rewards
Hunt, report, and get rewarded!
Bitfinex recognises that building strong relationships with security researchers and fostering security research is a crucial part of our mission to deliver the most advanced, secure, and trusted trading platform for digital tokens.
In collaboration with the cybersecurity and ethical hacking community, Bitfinex operates this programme to incentivise and reward the responsible disclosure of security vulnerabilities ("Responsible Disclosure"). We are continuously developing and deploying new code, so join our growing research community and help our developers eliminate bugs — with attractive rewards offered for valid findings.
Responsible Disclosure Policy
To ensure a swift and secure resolution, users or organisations must collaborate closely with the Bitfinex Security and Development teams in a timely and responsible manner. The following guidelines must be followed to ensure any vulnerabilities are handled with the highest level of security and discretion:
Submit your report once you discover the bug, the fastest way to alert our team is via our form at the bottom of this page.
Not share details of the bug in our customer support chat or publicly. If the matter is urgent you can advise the customer support team you have completed the bug report but do not disclose information and we will immediately alert our security team.
Make every effort not to interrupt or degrade our service during your investigation.
Not harm or defraud Bitfinex systems or our users during your investigation
Only target your own accounts during your research for vulnerabilities. Please do not violate the privacy of other users, destroy data, attempt to access or disrupt any other user accounts.
Provide written authority from the owner to perform such tasks, if working on behalf of a client or organisation where more than one account is used.
Work with us in good faith by following our responsible disclosure policy ensures no legal action will be taken against you by Bitfinex.
Bug Bounty eligibility & rules
Please follow our Responsible Disclosure Policy above when working to discover security vulnerabilities and bugs.
You must fully accept and adhere to our terms of service.
You must not be a Prohibited Person, such as a citizen or resident of the United States of America, or acting for the benefit of a Prohibited Person.
You must not disclose information relating to your discovery publicly before it has been fixed.
You must not try to access or damage other users' Bitfinex accounts. When completing the research, you must use your own Bitfinex account.
You must not attempt social engineering or phishing techniques on our users or Bitfinex personnel.
You must not use software or perform attacks that could affect the stability of our platforms, such as DDOS attacks, spamming techniques or blackhat SEO.
All decisions in relation to the administration of Bug Bounty program are at Bitfinex's sole and absolute discretion, including the distribution of rewards.
You can speak to our customer support team for any general inquiries on the Bug Bounty Eligibility & Rules.
Rewards Policy
Any security flaw or bug that could result in either a loss of service, data breach or financial damages to our systems or users are within scope. We may also reward our community when notifying us in:
Cross-site scripting (XSS, including Self-XSS)
Cross-site request forgery (CSRF/XSRF)
Mixed-content scripts
Authentication or authorisation flaws
Server-side code execution bugs
Remote code execution
SPF/DMARC misconfiguration
Stack traces or path disclosure
Non-qualifying bug examples
There must be an immediate threat to the Bitfinex platform or our users that can be exploited and is not hypothetical. Examples of common exclusions are:
Vulnerabilities on sites hosted by third parties (https://bitfinex.recruitee.com, https://bitfinex.statuspage.io).
Bitfinex-branded services operated by third parties
Bitfinex open source projects: github.com
How to Send a Report
If you find a security vulnerability that meets the above qualifications, please complete the form below. If you believe the bug is urgent you can also advise our customer support team via https://cs.bitfinex.com
You must not share information in the customer support group. You can advise you have completed a report in the bug bounty program which will speed up our internal team's review of your submission.
The bug report must include a short description of the bug, and a fully completed Bitfinex Bounty Report template. You must not share any sensitive data before you have made contact with an official representative at Bitfinex.
If you send an image or a video, please:
Ensure you are eligible for the Bug Bounty program.
Provide a detailed description of the issue, including steps to reproduce it.
Include any relevant screenshots or proof of concept.
Submit your report through the designated channel.
Reward guidelines
The below table shows the indicative reward range paid by bug priority class and risk. Upon successful verification of the bug discovered we shall advise on the reward amount to be paid out.
| Risk Priority | Minimum Payout | Maximum Payout |
|---|---|---|
| RP1 | $1,000 | $10,000+ |
| RP2 | $800 | $1,500 |
| RP3 | $200 | $400 |
| RP4 | $50 | $150 |
| RP5 | $10 | $50 |
Scope and targets
Bitfinex Bug Bounty program includes any and all digital security vulnerabilities discovered within any of the iFinex Inc. iFinex Inc provides the operational services that support all the various business lines delivered by the companies in the group such as Bitfinex, Unus Sed Leo, Bitfinex Staking.
The specific properties and domains covered in the Bitfinex Bug Bounty are as follows:
bitfinex.com
leaderboard.bitfinex.com
movement.bitfinex.com
setting.bitfinex.com
Android Google Play Store App
blog.bitfinex.com
leo.bitfinex.com
report.bitfinex.com
staking.bitfinex.com
Bitfinex API V1 or API V2
kyc.bitfinex.com
ln.bitfinex.com
reporting.bitfinex.com
capital.bitfinex.com
iOS App Store Bitfinex App
Outside of scope
bitfinex.recruitee.com
bitfinexsecurities.recruitee.com
bitfinex.statuspage.io
docs.bitfinex.com
cs.bitfinex.com
support.bitfinex.com
The above digital tokens are eligible for bounties for Priority RP1-RP5 depending on the severity of the bug found. Any domain or product outside of this list is currently out of scope for the Bitfinex Bug Bounty program.
The scope of the Bitfinex Bug Bounty program does not include third party software such as social media accounts or services such as Bitrefill or social engineering activities, physical building security breaches and event security risks. If you are aware of illegal activities being planned you should make our team aware and contact your local authorities.
If you believe you have discovered a vulnerability that should be included in the bounty program please complete our vulnerability report below.
You should not make your findings public, you should notify the official team members you have found a vulnerability and we will advise how to provide more detailed information securely.
Any services provided on other (sub)domains different to the above are not included in the bounty program. Bitfinex could reward reports for non-qualifying services at its sole discretion.