Bug Bounty Program


Here at Bitazza, we value the importance of security researchers’ efforts in helping to ensure the safety of our environment. Our Bug Bounty Program is in line with our mission and vision of being one of the most trusted platforms in the digital currency space. The Bug Bounty Program scope covers all software vulnerabilities in Bitazza’s services.

Responsible Disclosure

If you are able to identify a security vulnerability, we ask that all researchers make every effort to not leak data or damage the integrity of Bitazza’s systems and report the issue to us privately. This means to:

  • Provide us with a reasonable amount of time to fix the issue before publishing it elsewhere
  • Provide us with details (code, endpoints, etc.) of the vulnerability so we can find and fix it
  • Do not leak, tamper, or destroy any Bitazza data
  • Do not defraud Bitazza users or Bitazza itself (by making or enabling fraudulent transactions)
  • Do not create a large number of user accounts or fake data records

A valid report must, therefore, clearly explain and demonstrate the software vulnerability that is harmful to Bitazza or Bitazza’s customers. A report must be valid and in accordance with the terms of the program to be eligible for the bounty. Bitazza will, in its sole discretion, determine whether a report qualifies for a reward and the amount of the reward. A valid report must include clear step-by-step instructions to replicate the vulnerability.

Bitazza rewards bounties based on the severity of the vulnerability. The severity of the vulnerability can be categorized as such:

  • Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.
  • Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impacting the accuracy and performance of a system.
  • Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.
  • Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.
  • Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Bitazza or Bitazza customers.
  • Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.

Based on the different levels of severity, exploitability, and impact; the report will be classified into one of the 4 reward tiers

  • Critical       - 100,000 THB
  • High          -  10,000-50,000 THB
  • Medium    -  3,000-5,000 THB
  • Low           -  300-1,000 THB

(Rewards are paid in BTZ at the current market rate)


Vulnerabilities that do not fall into Bitazza’s bounty program are:

  • Social engineering
  • Physical security
  • Non-security-impacting UX issues
  • Deprecated Open Source libraries are not in scope. If you would like to report a vulnerability for one of these libraries, please submit it via email.
  • Vulnerabilities or weaknesses in third-party applications that integrate with Bitazza
  • Ability to abuse existing banking functions such as ACH or credit card chargebacks
  • Physical attacks against Bitazza employees, offices, or data centers
  • Social engineering of Bitazza employees or users (e.g. phishing)
  • Denial of service (SYN floods, Slowloris attacks, etc.)
  • Vulnerabilities in third-party integrations with the Bitazza API
  • Vulnerabilities that are strictly client-side
  • Vulnerabilities that require physical access, rooted/jailbroken devices, or debug access to a user’s device
  • Issues in our blog (https://content.bitazza.com) and social media accounts (Facebook, Twitter, etc.)
  • Issues in our support platform
  • Logout CSRF
  • User existence / user enumeration
  • Text-only injection in error pages
  • Unconfirmed reports from automated vulnerability scanners
  • Server and software versions in HTTP response headers
  • Lack of password complexity restrictions

Should you feel that a particular vulnerability not mentioned here should be in scope, please kindly proceed with submitting the report along with an explanation.

Bitazza reserves the right to modify or cancel the Bug Bounty Program at any time.

2 people like this