Bug bounty program

revenuebot provides a reward for detecting errors in the system. If you find a vulnerability in the service, please let us know by writing to Support Service.

What will be the reward?

The reward that will be paid for the detection of bugs and errors depends on the degree of seriousness. The identified errors can be divided into three groups:

  • A vulnerability that requires user interaction or affects individual users. For example, cross-site request forgery (CSRF); manipulation of the user's reputation.
  • A vulnerability that does not require user interaction and affects many users. For example, Stored Cross-Site Scripting (XSS) with significant impact; bypassing authentication, allowing you to change user data or gain access to personal data.
  • A vulnerability that affects our entire platform. For example, Server Side Request Forgery (SSRF); gaining administrator access; disclosure of important information.

As said above, the amount of the reward will depend on which group the bug or error can be attributed to, with the minimum being 50 USDT.

In what case is the reward not paid?

  • If this is not the first time the vulnerability was reported.
  • If the confirmation of an error or bug involves access to the user's PC or software.
  • The found bug requires performing non-standard and lengthy actions.
  • Vulnerabilities requiring jailbreak or modification of devices and applications.
  • Vulnerabilities working on older versions of browsers.

General rules about Bug Bounty

  • Consideration of a vulnerability complaint takes place within two weeks.
  • The bug or vulnerability report should include a detailed description of the problem encountered and the steps to take to reproduce it, or a working proof of concept.
  • You should not use automated tools and scanners to find vulnerabilities - such reports will be ignored.
  • You must not take any action that could damage our service or data, including customer data. DDoS, spam, social engineering, and brute force attacks are prohibited.
  • It is forbidden to involve other users in vulnerability detection without their consent.