At Bit2Me, we love hacker culture. We strongly identify with this movement, which is part of our company's DNA. So much so that some of us participate in hackathons and CTF (Capture-The-Flag) events. Bit2Me is always ready to collaborate and organize events aligned with this philosophy.
Our goal is for society to move towards a world where cryptocurrencies like Bitcoin gain wider acceptance, and we're working to build the best cryptocurrency platform in the world to achieve this.
This will help us create a much fairer and more democratic world, free from the monopoly of money, which currently exists with central bank currencies. A system where a few enslave the rest of humanity due to its operational structure.
We are aware of the frantic pace a startup like ours can have (updates, new products...). As humans, we're also aware that we're not perfect and might overlook something.
Therefore, hacker community, this document is a call to you. We're providing you with the best bug bounty program we could create, considering our company's current size. As we grow, we will continue to update it.
What you need to know?
- Program rules
- Already reported vulnerabilities
- How will we do it? Cryptography to the rescue!
- What does this mean?
- Scope
- Vulnerabilities that will NOT be accepted
- How to report a bug?
- Response policy
- Rewards
- Examples of vulnerabilities we are looking for:
- Hall of Fame
Program rules
- You must add the header "X-BUGBOUNTY-HACKER: <your_hacker_name>" when performing tests so we can identify your requests.
- Only reports of previously unreported vulnerabilities will be accepted. In case of duplicates, the first reporter will always be rewarded (provided they have complied with the rules outlined here, otherwise, reports will be prioritized from oldest to most recent).
- Provide sufficient evidence and information for our engineering team to reproduce and fix the vulnerability.
- Do not engage in any illegal conduct when disclosing the vulnerability to Bit2me, such as threats, demands, or other coercive tactics.
- Do not exploit the vulnerability in a way that could publicly exfiltrate sensitive information, nor profit from exploiting the vulnerability prior to receiving a reward from Bit2me.
- Do not perpetrate data destruction or service interruption of any Bit2me service in the process.
- Report only one vulnerability per submission, unless chaining vulnerabilities is necessary to maximize impact on a certain type of vulnerability.
- Do not report a vulnerability caused by an underlying issue that is the same as an issue for which a reward has been paid under this Program.
- Multiple vulnerabilities caused by one underlying issue will receive a single reward.
- A single vulnerability reproducible across more than 1 service or subdomain will be treated as one unique vulnerability.
- Publication of any successful exploit performed during participation in the Bug Bounty program on any internet medium is not permitted. Violation of this rule will result in the denial of future submissions from that member and the suspension of any pending reward payments.
Already reported vulnerabilities
A natural and valid question you might ask is: How can I be sure that Bit2Me will be truthful when rejecting a vulnerability by stating it was already reported?
As one of the famous crypto mottos goes: “Don’t trust, Verify!"
As you know, we love innovation, and we love cryptocurrency technology. With this in mind, and to exemplify the values and benefits that Blockchain technology brings, every reported and accepted vulnerability will be published on the Blockchain.
How will we do it? Cryptography to the rescue!
Once a vulnerability is reported and accepted, even before our team resolves it, we will do the following:
We will gather all vulnerability information and create a report in PDF format.
From the newly created PDF report, we will generate a digital fingerprint (hash checksum).
We will issue a transaction to the Ethereum blockchain, including the document's generated hash within it.
This transaction will remain transparent and immutable on the network forever, being completely impossible to alter, and serving as a timestamp for its creation.
What does this mean?
If that hash existed at that moment, it means the document, and therefore the information it contains, also existed.
If, later, someone reports a similar vulnerability to us, we will provide them with the PDF report and the transaction.
With the report, they can generate the digital fingerprint themselves and verify that the hash was already registered in the past, thanks to the provided Ethereum transaction, where they can see its exact date.
For the report's hash / checksum, we will use the SHA-512 algorithm.
Scope
We have limited the scope for vulnerability hunting to the following domains / subdomains:
bit2me.com
account.bit2me.com
wallet.bit2me.com
converter.bit2me.com
explorer.bit2me.com
gateway.bit2me.com
Bit2me Android and iOS applications
Vulnerabilities that will NOT be accepted
- Any asset outside the specified scope.
- While vulnerabilities that can cause a Denial of Service (DoS) are permitted, whether due to code inconsistencies, outdated services on the platform, or libraries generating excessive cyclomatic loops, Distributed Denial of Service (DDoS) attacks, such as attacks via botnets or flooding tools, are out of scope.
- Account/email enumeration.
- Brute force attacks.
- Content spoofing and text injection without the ability to modify HTML/CSS.
- Self-XSS (e.g., successful XSS only executed locally, console scripting, token reuse...).
- Permissive CORS headers.
- Clickjacking with minimal impact actions.
- Tab-nabbing.
- Vulnerabilities related to form autocompletion.
- Lack of headers or flags (CSP, X-Frame-Options, Strict-Transport-Security, Content-sniffing, HTTPOnly flag, link attributes “noopener noreferrer”, etc.) that cannot lead to direct exploitation.
- Lack of best practices in SSL/TLS configuration.
- Support for HTTP methods like OPTIONS.
- CSRF attacks without compromising authentication or critical operations (add to favorites, logout, etc.).
- Exposure of outdated software or service versions.
- Exposure of public directories or files (e.g., robots.txt) with minimal impact.
- Bugs in uncommon browsers or browsers not supported by Bit2Me.
- MITM attacks requiring physical access to a user's device.
- Any physical attack against Bit2me properties or its data centers.
- Publicly accessible login panels.
- UX or usability issues that do not imply security flaws.
- Issues that have no security impact (e.g., a page loading failure).
- Social engineering, phishing, vishing, smishing against Bit2Me employees, suppliers, customers, or users.
- Vulnerabilities already known to us or already reported by someone else (the reward will go to the first reporter).
- Others…
How to report a bug?
Send your report to: security@bit2me.com.
Include as much evidence as possible: title of the exploited vulnerability, description of each step in the exploitation, tools used in the exploitation, browser version, attach screenshots (or even video), etc.
Include the PoC (Proof of Concept), if you created one. It will be mandatory to include an explanation on how to fix the reported vulnerability.
Please allow up to 10 business days for our team to review your submission and receive a response regarding its acceptance. If accepted, your reward will be paid within the timeframe stipulated in the Response Policy (*see response policy).
Response policy
Bit2Me will always do its utmost to follow the following response policy for submissions sent by hackers participating in our program:
Our maximum response time for vulnerability acceptance (from receiving the report) is: 10 business days.
The reward payment will be made once the vulnerability is resolved. This period may take days, or even weeks.
Payments can be made in the following way:
Cryptocurrencies: We love cryptocurrencies, and if you do too, we'll be happy to pay your reward in cryptocurrencies like Bitcoin, Ethereum, Monero, or others.
Rewards
Rewards granted by Bit2Me range from €50 for low vulnerabilities up to €5,000 for highly critical ones.
Normal rewards will be administered based on our vulnerability criticality criteria:

For vulnerabilities that our internal cybersecurity team considers VERY critical, Bit2Me has a special reward of €5,000.
Note: If the report does not include a valid PoC (Proof of Concept), the reward rating will be decided according to the reproducibility and severity of the vulnerability, and the reward amount may be significantly reduced. |
Examples of vulnerabilities we are looking for:
- XSS (excluding self-XSS).
- CSRF (excluding CSRF involving actions without impact).
- Remote Code Execution.
- Authentication Bypass.
- SQL Injection.
- Sensitive information disclosure.
- LFI/RFI.
- Privilege Escalation.
- Vulnerabilities that could cause loss of user funds or assets.
- Vulnerabilities that could cause remote leakage of confidential company data.
Hall of Fame
All individuals or entities who report vulnerabilities that are rewarded will be published, if they so wish.
These are the members who, to date, have reported an accepted vulnerability:
- Ch Chakradhar
- White Coast Security Private Limited
- Abhishek Pal
- Javier Andreu
- Pratik Yadav
- Sachin Pandey
- Shashank Jyoti
- Moein Abas
- Yash Ahmed Quashim
- Volodymyr "Bob" Diachenko
- Fahim Ali
- Felipe Martinez
- Taniya & Rohan
- Shubham Kushwaha
- Pawan Rawat
- Akash Hamal
- Mehedi Hasan
- Anchal Vij
- Soumen Jana
- Rohan
- Mayank Sahu
- Kartik Singh
- Niket Popat
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article