Bug Bounty Program
Help us keep ChipaX secure
We reward security researchers who responsibly disclose vulnerabilities in our platform. The higher the severity, the higher the reward.
Submit a ReportEmail security@chipatrade.com with a PoC and reproduction steps.
Severity & Rewards
CriticalUp to $10,000
- Remote code execution on ChipaX servers
- Authentication bypass giving access to any account
- Private key or seed phrase exposure
- Direct theft or freezing of user funds
HighUp to $2,500
- Privilege escalation to admin or staff roles
- SQL injection or mass data exposure
- Cross-site scripting with account takeover impact
- Order manipulation affecting other users
MediumUp to $500
- Reflected XSS without account takeover
- Insecure direct object reference (limited impact)
- Information disclosure of non-sensitive data
- Rate-limiting bypass without financial impact
LowAcknowledgement
- Missing security headers
- Clickjacking on non-sensitive pages
- Verbose error messages leaking stack traces
- Outdated dependency without a known exploit
Final reward amounts are determined at our discretion based on exploitability, impact, and quality of the report. Rewards are paid in USDC.
✓ In Scope
exchange.chipatrade.com
exchange.api.chipatrade.com
chipatrade.com
iOS and Android mobile apps (when live)
✕ Out of Scope
Third-party services (Hyperliquid, Firebase, GCP)
Physical / social-engineering attacks
Denial-of-service (DoS / DDoS)
Brute-force attacks that require no vulnerability
Bugs already known to the team
Rules
01Test only against your own account — never target other users' data.
02Do not disclose the vulnerability publicly before we patch it.
03Do not perform destructive tests that could disrupt service.
04Automated scanners are allowed, but flooding production is not.
05One report per vulnerability — duplicates are not rewarded.
Disclosure Process
1
Submit
Email security@chipatrade.com with PoC, steps, and screenshots.
2
Triage
We acknowledge within 48 hours and assess severity.
3
Fix
We patch the vulnerability. Timeline depends on severity.
4
Reward
USDC reward is paid after the fix is deployed.
Found something?
We're grateful for every responsible disclosure. Let's talk.