Coinflow Bug Bounty Program

Last updated June 22, 2025

Overview

The Coinflow Bug Bounty Program Terms and Conditions ("Terms") govern your participation in the Coinflow Bug Bounty Program ("Program"). These Terms are between you and Coinflow ("Coinflow," "us," or "we"). By performing vulnerability research against Coinflow’s infrastructure, submitting any vulnerabilities to Coinflow, or otherwise participating in the Program in any manner, you accept these Terms.

Program Eligibility

  • Participants must be at least 18 years old.
  • Coinflow employees, contractors, and their family members are prohibited from participating.
  • You may not participate if you reside in a U.S.-sanctioned jurisdiction or appear on restricted lists.

Rules of Engagement

  • Submissions must include a working Proof of Concept (PoC).
  • Do not access, store, or share other users’ data. Report it immediately if accessed.
  • Minimize data usage when testing exploits.
  • Do not threaten, extort, or disrupt Coinflow services or data.
  • Use only accounts you create. Never interact with real users.
  • You grant Coinflow a license to use your submission. Bounties are at Coinflow’s discretion.
  • You are responsible for any tax obligations tied to your reward.

Submission Review

Coinflow engineers will review all submissions. Rewards are granted to the first valid report. Coinflow may award a duplicate if new information is added or revalidate a previously closed report.

Creating Test Accounts

Use a research email (e.g. username@wearehackerone.com) and name your test merchant with a -bug-bounty suffix. Add an X-Bug-Bounty: username header where applicable.

Disclosure

You may not disclose any vulnerability, findings, or communication without Coinflow’s written permission.

Researcher Privacy

Coinflow will not share your personal information, research, or participation unless legally required or to enforce policy.

Accountability

Violating these terms may result in disqualification from the Program.

Changes

Terms may be updated. Continued participation indicates your acceptance of the latest version.

Bounty Rewards

SeverityReward
Low50 – $100
Medium$100 – $500
High$500 – $1,000
Critical$1,000 – $5,000

Scope Exclusions

The following categories are not eligible for rewards:

  • Account squatting or email collisions
  • MITM or physical access-based attacks
  • Missing best practices without exploitable impact (e.g., CSP, SSL)
  • Clickjacking on non-sensitive pages
  • CSV injections without impact
  • Content/text spoofing with no vector
  • Non-sensitive CSRF
  • Denial of service (DoS)
  • Software version/banner disclosure
  • Subdomain takeovers without evidence
  • Open redirects without added risk
  • Known library CVEs without PoC
  • Zero-days patched < 30 days ago
  • Rate limiting/brute force on non-auth endpoints
  • Old browser-specific exploits
  • Spam reports
  • Social engineering or phishing
  • Wayback Machine or archive links
  • Session invalidation edge cases
  • Self-XSS, self-exploitation, or user-misuse bugs
  • Automated scanner reports with no PoC
  • LLM prompt injection with no clear security risk
  • RBAC/permission issues without exploit