Languages

Announcements

Responsible Disclosure Program

Tradex24 Bug Bounty

Help us protect thousands of traders and millions in digital assets. We reward researchers who responsibly disclose vulnerabilities across our exchange, wallet infrastructure, and trading APIs.

$5,000
Max Reward
493
API Endpoints
16
Blockchains
72 hrs
Response SLA

About Tradex24

Tradex24 is an enterprise-grade, multi-product cryptocurrency exchange providing spot trading, leveraged futures (1–100×), binary options, peer-to-peer marketplace, staking, investments, and ICO launchpad services. Our platform custodies real digital assets across 16 blockchain networks via a BIP44 HD hot wallet, integrates with Binance and KuCoin via CCXT, and processes fiat on-ramps via Stripe and PayPal.

Security is paramount. Our users trust us with real funds. This bug bounty program exists to engage the security community in identifying vulnerabilities across our 493 API endpoints, 234 frontend pages, 109 database models, and 16 custodial blockchain integrations — before adversaries do.

Spot Trading
Futures 1–100×
Binary Options
P2P Escrow
Hot Wallet (16 chains)
KYC & Compliance

Severity Levels & Rewards

Rewards are paid in USDT or TRDC at the reporter's choice. Final severity classification is determined by Tradex24 after triaging the report. Bonuses may apply for exceptional write-up quality or novel attack chains.

Critical
$1,000 – $5,000
  • Unauthorized access to or draining of user funds or hot wallet
  • Authentication bypass granting admin or arbitrary user access
  • Private key or mnemonic phrase exposure via any attack surface
  • SQL injection enabling full database read or write
  • Remote code execution (RCE) on backend or Node.js server
  • Mass account takeover without user interaction
  • Bypassing withdrawal KYC / admin approval to extract funds
  • Exploiting race conditions to double-credit deposits or withdrawals
  • JWT secret disclosure or algorithm confusion attack
High
$300 – $999
  • Unauthorized balance manipulation (credit or debit) on any wallet
  • Bypassing 2FA (TOTP, SMS, or email) without account credentials
  • API key privilege escalation beyond granted scopes
  • Stored XSS in trading interface, admin panel, or user dashboard
  • SSRF reaching internal services (Redis, DB, metadata endpoint)
  • Insecure Direct Object Reference (IDOR) exposing financial records
  • P2P escrow bypass releasing funds without both-party confirmation
  • Futures position manipulation via forged mark-price or liquidation data
  • Admin panel CSRF on financial operations (withdrawals, balance edits)
  • KYC bypass enabling unverified withdrawal above limits
Medium
$75 – $299
  • Reflected XSS on any authenticated or public endpoint
  • CSRF on account settings (email, password, 2FA enrollment)
  • Rate-limit bypass on authentication, OTP, or withdrawal endpoints
  • Session fixation or session token not invalidated on logout
  • Sensitive data leakage in API responses (hashed passwords, internal IDs)
  • Insecure file upload leading to arbitrary file storage or path traversal
  • WebSocket authentication bypass exposing another user's order stream
  • Missing authorization checks on admin-only API routes
  • Business logic flaw allowing negative balance or fee evasion
  • OAuth2 redirect_uri manipulation or state parameter bypass
Low
$25 – $74
  • Missing or misconfigured security headers (CSP, HSTS, X-Frame-Options)
  • Verbose error messages leaking stack traces or library versions
  • Clickjacking on non-sensitive pages without frame-busting headers
  • Self-XSS requiring significant user interaction
  • Non-sensitive information disclosure via API responses
  • Weak password policy not enforced on registration
  • Email enumeration on login or forgot-password endpoints
  • Lack of account lockout after repeated failed login attempts
  • Missing HttpOnly / Secure flag on non-session cookies
  • Open redirect on low-impact pages (no phishing chain demonstrated)
Informational
No reward
  • Best-practice deviations with no direct exploitability
  • Missing DNSSEC or SPF/DKIM/DMARC email hardening
  • SSL/TLS configuration issues below critical threshold
  • Theoretical vulnerabilities requiring unrealistic preconditions
  • UI bugs, typos, or UX issues
  • Issues already publicly disclosed or known to the team

In-Scope Targets

Click any section to expand the detailed attack surface and examples. All targets are on trade.bitchat.live and its subdomains. API base: https://trade.bitchat.live/api

Out of Scope

The following will not be accepted and may result in disqualification if testing disrupts the platform.

Attacks requiring physical access to a user's device
Social engineering or phishing of Tradex24 employees or users
Denial-of-service (DoS/DDoS) attacks against production infrastructure
Brute-force attacks against production systems (test in staging only)
Vulnerabilities in third-party services not controlled by Tradex24 (Binance, Stripe, PayPal, Twilio, SendGrid)
Issues only exploitable on outdated or unsupported browsers
Self-XSS requiring the victim to run attacker-provided code in their own browser console
Clickjacking on pages with no sensitive state-changing actions
CSV injection with no demonstrated impact beyond formula execution in Excel
Rate limiting on non-security-critical endpoints (public market data)
Missing security headers with no exploitable impact (X-Content-Type-Options, Referrer-Policy alone)
Username or email enumeration without evidence of harm beyond confirmation
Vulnerabilities in the admin panel only exploitable by accounts already holding admin privileges
Publicly known CVEs in dependencies that Tradex24 has already acknowledged or patched
Scanner output / automated tool results without proof of exploitability
Issues requiring a man-in-the-middle attack against a user with valid TLS
Clickjacking on the landing page or marketing-only pages
SPF, DKIM, or DMARC email configuration issues
Missing certificate transparency (CT) logs
Token/key exposure in client-side source maps where the token has no production scope

Rules of Engagement

Violation of any rule below voids eligibility for reward and may result in legal action.

01Test exclusively against your own account. Never target other users' accounts or data.
02Do not access, modify, or delete data that does not belong to you.
03Do not disrupt platform availability or degrade service quality for other users.
04If you discover access to funds or sensitive user data, stop exploitation immediately and report.
05Do not publicly disclose any vulnerability before a fix is released (90-day responsible disclosure window).
06Avoid automated high-volume scanning that could trigger alerts or impact production performance.
07Use a dedicated test account. Register a new account specifically for security testing.
08Do not conduct testing on the production hot wallet — report theoretical wallet vulnerabilities with a PoC on a testnet or staging environment.
09Provide a clear, reproducible proof-of-concept (PoC) with your report — vague reports will not be rewarded.
10Reports must be in English and include: vulnerability description, affected endpoint, reproduction steps, impact assessment, and suggested fix.
11Do not attempt to extract real user PII. If encountered incidentally, report immediately and do not retain it.
12Chain vulnerabilities are allowed and encouraged — demonstrate the full kill chain for maximum severity classification.

Disclosure Policy

72-Hour Triage

We acknowledge all valid reports within 72 hours with a severity classification and expected resolution timeline.

90-Day Fix Window

We request 90 days to remediate reported vulnerabilities before public disclosure. We will coordinate earlier publication by mutual agreement.

Safe Harbor

Good-faith researchers testing within these rules will not face legal action. We consider this program authorization under the Computer Fraud and Abuse Act and equivalent laws.

Report Format

Include all of the following in your submission for fastest triage:

Vulnerability TitleConcise one-line description (e.g., 'IDOR on /api/finance/withdraw allows draining arbitrary user wallet')
Severity AssessmentYour severity rating (Critical / High / Medium / Low) with justification
Affected Endpoint(s)Full URL, HTTP method, headers, and parameters
Reproduction StepsStep-by-step numbered instructions starting from a fresh test account
Proof of ConceptRequest/response captures (Burp Suite, cURL), screenshots, or video — redact any real user data
ImpactWhat an attacker can achieve (data exfiltration, fund loss, account takeover, etc.) and estimated blast radius
Root CauseWhere in the code or logic the vulnerability originates
Suggested RemediationOptional but appreciated — specific code-level or architecture recommendation
Your Wallet AddressUSDT (BEP-20 / BSC) or TRDC address for reward payment

Found a vulnerability?

Send your report to our security team. Encrypt sensitive reports using our PGP key (available on request). Please use a descriptive subject line starting with [BUG BOUNTY].

contact@bitchat.live

Please do not report security vulnerabilities through GitHub issues, support tickets, or public social media channels.

Hall of Fame
Responsible researchers who disclose valid High or Critical severity bugs will be recognized on our public Hall of Fame (with their consent).

This program is subject to change. Last updated: March 2026. Tradex24 reserves the right to modify reward amounts and scope at any time.