Bug Bounty

SpectroCoin understands the importance of security and keeping our users safe. Although our IT team has taken all precautions to find possible bugs in our system, there is always a slight possibility that a few of them could have been overlooked. At SpectroCoin we believe that working hand in hand with our community can bring the best results for both parties. SpectroCoin is running a bug bounty program under which you are entitled to a reward if you report a significant eligible bug.

Responsible disclosure

Responsible disclosure includes, but is not limited to:
  • 1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • 2. Non violation of the privacy of other users, destroy any data or disrupt our services, etc. (act in good faith).
  • 3. Not defrauding SpectroCoin users (you do not interact with an individual account, which includes modifying or accessing data from the account) or SpectroCoin itself in the process of discovery.
  • 4. For exploits that need account access you must use your own account.
  • 5. If you inadvertently access private data, we ask that you delete all related information - including but not limited to access codes, private data, and etc., after notifying us.
  • 6. If, in the case of a bug, you were able to access and/or move funds from SpectroCoin, you commit to returning the whole amount to SpectroCoin.
* In order to encourage responsible disclosure, we will not bring legal action against researchers who point out a problem provided they do their best to follow the guidelines above.


SpectroCoin has not set a maximum reward for security vulnerabilities reported. The reward for eligible security issues will be paid in Bitcoin or Ether. Higher rewards may be allocated, depending on the severity of the vulnerabilities reported. We use the following table as a guide, however, the determination of the final amount remains at our discretion.
  • Bug
  • Critical
    $4,000 - $15,000
  • High
    $1,000 - $4,000
  • Medium
    $200 - $1,000
  • Low
    up to $200
Only unknown and previously unreported vulnerabilities are considered for rewards.
We only reward one bounty per bug. If multiple reports are submitted for the same vulnerability, we will reward the first reporter only (please check "How to Report a Bug" section).
To receive a reward, there must be no legal obstacle to do so (e.g. you may not participate in this program if you are a resident or individual located within a country subject to international sanctions including, but not limited to EC, FATF, US, UN.)
* In any case SpectroCoin has the discretion to determine a reported vulnerability as insignificant, including its eligibility for the reward. By submitting a bug, you agree to follow the rules above. Thank you for keeping SpectroCoin and our users safe!
The amount of the reward may be increased based on:

How to report a bug

Send your vulnerability reports to [email protected]. Please encrypt your message and any attachments by using our public PGP Key (available below). Do not publicly share any files and/or details related to the vulnerability. This includes uploads to any publicly accessible websites (i.e. YouTube, Imgur, Pastebin, etc.).
Bug reports should contain a detailed step-by-step proof of concept that would allow us to reproduce and evaluate the issue. For example, web-related reports should contain at least:
  • HTTP requests/responses together with affected parameters
  • Screenshots or videos (if necessary)
  • Description of the browser (type), OS, device and/or app version
  • Description of the perceived impact of the vulnerability
  • Suggestions on how to solve the issue (optional)
Report Bug
* If our IT team cannot reproduce and verify the issue, the bounty will not be allocated.
* Include your BTC/ETH address for payment.
Mail icon

Eligibility (Scope)

All services provided by SpectroCoin are eligible for our bug bounty program, including the iOS and Android SpectroCoin apps, SpectroCoin Wallet, API, Merchant Tools, Cards and Exchange.
In general, vulnerabilities that have a potential for financial loss or data breach, are considered of sufficient severity, including but not necessarily:
  • - Cross-Site Request Forgery (CSRF)
  • - Cross-Site Scripting (XSS)
  • - Code Injection
  • - Remote Code Execution
  • - Privilege Escalation
  • - Authentication Bypass
  • - Clickjacking
  • - Leakage of Sensitive Data

Ineligibility (Out of Scope)

In general, the following vulnerabilities will not meet the severity threshold:
  • - Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website
  • - Password complexity requirements
  • - Self-XSS
  • - Denial of service (DoS)
  • - Spamming
  • - Usability issues
  • - Vulnerabilities affecting outdated or unpatched browsers
  • - Vulnerabilities in third party applications which make use of the SpectroCoin API
  • - Reports from automated tools or scans, without exploitability demonstration
  • - Non-technical attacks, such as physical attack, social engineering, phishing, etc.
  • - Bugs that have been already reported before
  • - Bugs known to us
  • - Non-reproducible issues

Help to keep SpectroCoin and our users safe

Report Bug