Bug bounty program

Security is a collaboration. Report bugs and be rewarded.

Types of vulnerabilities

Critical

Important business

Up to $10,000*

General business

Up to $5,000*

Edge business

Up to $2,500*

*We may pay higher for critical bug reports on a case-to-case basis.

Critical severity issues present an enormous risk to our clients or to Deriv itself. They often affect relatively low-level components in our infrastructure. For example:

  • Arbitrary code/command execution on a server in our production network
  • Arbitrary queries on a production database
  • Bypassing our sign-in process, either password or 2FA
  • Accessing sensitive production user data and internal production systems
  • Payment-related vulnerabilities that could result in loss to our clients and the company

High

Important business

Up to $5,000

General business

Up to $2,500

Edge business

Up to $1,000

High severity issues are generally more narrow in scope than critical issues, but they may expose sensitive client and company data to attackers. For example:

  • Cross-server scripting (XSS) that bypasses content security policy (CSP)
  • The ability to bypass verification, log in to clients’ accounts or devices, extract clients’ sensitive data, and perform actions without consent
  • Gaining access to back-end code, internal session cookies, or other sensitive information
  • Exploiting interactive logic issues that can cause loss to clients

Medium

Important business

Up to $500

General business

Up to $250

Edge business

Up to $100

Medium severity issues allow attackers to gain unauthorised access to read or modify a limited amount of sensitive data. This data is usually less sensitive than the data exposed by high severity issues. For example:

  • The ability to access a limited portion of clients’ sensitive information, our back-end code, or internal information on GitHub
  • XSS that does not bypass CSP and does not execute unauthorised actions in another user’s session
  • Cross-site and server-side request forgery (without access to our internal network)
  • Subdomain takeover

Low

We’ll reward reports on low-level vulnerabilities only if they help us fix severe security issues, and we’ll decide the reward amount on a case-to-case basis.

Low severity issues expose an extremely limited amount of data. They may violate an expectation of how something is intended to work, but without privilege escalation or the ability to trigger unintended behaviour. For example:

  • Triggering debug error pages without proof of exploitability or obtaining sensitive information
  • Cross-site request forgery (non-critical)
  • Vulnerabilities depended on difficult scenarios or pre-conditions
  • Exposed logs without sensitive information