Pi42's Bug Bounty Program

As a leading crypto futures trading platform, we are committed to maintaining the highest standards of security and reliability.

Our Bug Bounty Program is designed to encourage and reward security researchers and ethical hackers who help us identify and fix vulnerabilities in our system.

How it works?

  • Discover

    Discover

    Identify potential security vulnerabilities in Pi42's platform.

  • Report

    Report

    Submit a detailed report of your findings through our secure reporting form.

  • review

    Review

    Our security team will review your submission and validate the vulnerability.

  • reward

    Reward

    Once the vulnerability is confirmed, you'll be rewarded based on the severity of the issue.

  • Rewards

    Rewards are determined based on the impact and complexity of the vulnerability.

  • Critical

    Up to

    ₹1,00,000

  • HIGH

    Up to

    ₹50,000

  • Medium

    Up to

    ₹10,000

  • Low

    Up to

    ₹5,000

Reporting Guidelines

To submit a report, please include the following information:

  • A clear and concise description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact of the vulnerability
  • Any supporting evidence (screenshots, code snippets, etc.)

Legal

By participating in Pi42's Bug Bounty Program, you agree to adhere to our legal guidelines and not disclose any information about the vulnerability to third parties without our prior consent.

Contact

For any question or to submit a report,
Please contact our security team at [email protected]

Bug Bounty Results

Celebrating Your Contributions to a Safer Platform

Participant NameSeverity LevelBug DescriptionRewardSubmission Date
Nishant LungareLowTabnabbing₹5,000Sept 2024
Himanshu SondhiLowSub resource Integrity₹5,000Oct 2024

Frequently Asked Questions

Who can participate in the Bug Bounty Program?

Anyone with knowledge and expertise in cybersecurity, ethical hacking, or related fields can participate. We welcome contributions from security researchers, ethical hackers, and enthusiasts worldwide.

What types of vulnerabilities are eligible for a reward?

We are interested in vulnerabilities that could potentially impact the security and integrity of our platform, such as:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • SQL Injection
  • Authentication bypass & broken authentication
  • Remote Code Execution (RCE)
  • Domains in scope
    • https://pi42.com/
    • https://api.pi42.com/

Note: This is not an exhaustive list. Any critical vulnerability that poses a significant risk to our platform is eligible for a reward.

Are there any out-of-scope vulnerabilities?

Yes, certain vulnerabilities are considered out-of-scope and are not eligible for rewards. These include:

  • https://pi42.com/blog
  • All domains or subdomains not listed in the above list of domains in scope
  • CMS websites owned by Pi42 (Anything related to Wordpress etc)
  • Vulnerabilities in third-party applications or services not under our control
  • Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
  • Password reset token leak on trusted third-party website via Referer header (eg Google Analytics, Facebook…)
  • Missing any best security practice that is not a vulnerability
  • Missing security headers that do not lead directly to a vulnerability
  • SSL/TLS best practices that do not contain a fully functional proof of concept
  • Incomplete or missing SPF/DMARC/DKIM records
  • SSL Weak Ciphers/ POODLE / Heartbleed (Vulnops Discretion)
  • Client-side application/browser autocomplete or saved password/credentials
  • Account/e-mail enumeration
  • Unvalidated findings from automated tools or scans
  • Missing rate limitations on endpoints (without any security concerns)
  • Self-XSS or XSS that cannot be used to impact other users
  • Self-exploitation (i.e. password reset links or cookie reuse)
  • Any hypothetical flaw or best practices without exploitable PoC
  • Outdated libraries without a demonstrated security impact
  • Vulnerabilities affecting users of outdated browsers, plugins or platforms. For example, an XSS reliant on Adobe Flash (no longer supported)
  • Recently disclosed 0-day vulnerabilities (less than 90 days since patch release)
  • Social engineering attacks (e.g., phishing)
  • Physical attacks against our infrastructure
  • Attacks requiring physical access to a user’s device
  • Unauthenticated / Logout / Login and other low-severity Cross-Site Request Forgery (CSRF)
  • Any form of DoS/DDoS
  • CSV Injection
  • Open redirect without security impact
  • Disclosure of software/version banners
  • Presence of debug information (like stack traces) without sensitive data leakage
  • Use of known default credentials without evidence of exploit
  • Clickjacking on pages with no sensitive actions
  • Missing or misconfigured Content Security Policy (CSP) without direct impact

How do I submit a vulnerability report?

To submit a report, please use our secure reporting form on the Bug Bounty Program webpage. Include a detailed description of the vulnerability, steps to reproduce, potential impact, and any supporting evidence.

How long does it take to review a submission?

Our security team aims to review submissions within 7 business days. However, the review time may vary depending on the complexity of the report and the current volume of submissions.

How are rewards determined?

Rewards are based on the severity and impact of the vulnerability, as well as the quality of the report. Our security team uses industry-standard guidelines to assess the severity of each submission.

Can I disclose the vulnerability publicly?

We request that you do not disclose any details about the vulnerability publicly until we have had a chance to investigate and address the issue. Public disclosure before resolution may disqualify you from receiving a reward.

Can I submit multiple reports?

Yes, you can submit multiple reports as long as each report details a unique vulnerability. Each submission will be evaluated independently for eligibility and reward.

What happens if multiple researchers report the same vulnerability?

In cases where multiple researchers report the same vulnerability, the reward will be granted to the first researcher who submitted a comprehensive and actionable report.

How will I receive my reward?

Rewards will be paid out via bank transfer or cryptocurrency, depending on your preference and applicable laws. Our security team will coordinate with you to arrange the payment.