Bug Bounty

SpectroCoin understands the importance of security and keeping our users safe. Although our IT team has taken all precautions to find possible bugs in our system, there is always a slight possibility that a few of them could have been overlooked. At SpectroCoin we believe that working hand in hand with our community can bring the best results for both parties. SpectroCoin is running a bug bounty program under which you are entitled to a reward if you report a significant eligible bug.

Responsible disclosure

Responsible disclosure includes, but is not limited to:
  • 1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • 2. Non violation of the privacy of other users, destroy any data or disrupt our services, etc. (act in good faith).
  • 3. Not defrauding SpectroCoin users (you do not interact with an individual account, which includes modifying or accessing data from the account) or SpectroCoin itself in the process of discovery.
  • 4. For exploits that need account access you must use your own account.
  • 5. If you inadvertently access private data, we ask that you delete all related information - including but not limited to access codes, private data, and etc., after notifying us.
  • 6. If, in the case of a bug, you were able to access and/or move funds from SpectroCoin, you commit to returning the whole amount to SpectroCoin.
* In order to encourage responsible disclosure, we will not bring legal action against researchers who point out a problem provided they do their best to follow the guidelines above.


The minimum reward for eligible bugs is the equivalent to 100 USD in Bitcoin or Ethereum. Higher rewards may be allocated, depending on the severity of the reported vulnerabilities. A step by step report (or an exploit script) is more than welcome. We use the following table as a guide. The determination of the final amount remains at our discretion:
  • Bug
  • Remote Code Execution
    up to $10,000
  • Significant manipulation of account balance
    up to $5,000
  • XSS/CSRF/Clickjacking affecting sensitive actions [1]
    up to$3,500
  • Theft of privileged information [2]
    up to$2,500
  • Partial authentication bypass
    up to$1,500
  • Other XSS (excluding Self-XSS)
    up to$500
  • Other vulnerability with clear potential for financial or data loss
    up to$500
  • Other CSRF (excluding logout CSRF)
    up to$100
[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions.
[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent.
Only unknown and previously unreported vulnerabilities are considered for rewards.
We only reward one bounty per bug. If multiple reports are submitted for the same vulnerability, we will reward only the first reporter (please check "How to Report a Bug" section).
To receive a reward, there must be no legal obstacle to do so (e.g. you may not participate in this program if you are a resident or individual located within a country appearing on international sanctions including, but not limited to EC, FATF, US, UN.)
* In any case SpectroCoin has the discretion to determine a reported vulnerability as insignificant including its eligibility for a reward. By submitting a bug, you agree to follow the rules above. Thank you for keeping SpectroCoin and our users safe!

How to report a bug

Send your bug report to [email protected]. A proof of the existing vulnerability (screenshots/video/script) is required. These files should not be shared publicly. This includes uploading to any publicly accessible websites (i.e. YouTube, Imgur, etc.).

Reproductional steps must be provided in the bug report including:
  • - URL and affected parameters
  • - Description of the browser (type), OS, device and/or app version
  • - Description of the perceived impact of the vulnerability
  • - Suggestions on how to solve the issue (optional)
Report Bug
* If our IT team cannot reproduce and verify the issue, the bounty will not be allocated.
* Include your BTC/ETH address for payment.
Mail icon

Eligibility (Scope)

All services provided by SpectroCoin are eligible for our bug bounty program, including the iOS and Android SpectroCoin apps, SpectroCoin Wallet, API, Merchant Tools, Cards and Exchange.
In general, vulnerabilities that have a potential for financial loss or data breach, are considered of sufficient severity, including but not necessarily:
  • - Cross-Site Request Forgery (CSRF)
  • - Cross-Site Scripting (XSS)
  • - Code Injection
  • - Remote Code Execution
  • - Privilege Escalation
  • - Authentication Bypass
  • - Clickjacking
  • - Leakage of Sensitive Data

Ineligibility (Out of Scope)

In general, the following vulnerabilities will not meet the severity threshold:
  • - Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website
  • - Password complexity requirements
  • - Self-XSS
  • - Denial of service (DoS)
  • - Spamming
  • - Usability issues
  • - Vulnerabilities affecting outdated or unpatched browsers
  • - Vulnerabilities in third party applications which make use of the SpectroCoin API
  • - Reports from automated tools or scans, without exploitability demonstration
  • - Non-technical attacks, such as physical attack, social engineering, phishing, etc.
  • - Bugs that have been already reported before
  • - Bugs known to us
  • - Non-reproducible issues

Help to keep SpectroCoin and our users safe

Report Bug