Bug bounty program
Security is a collaboration. Report bugs and be rewarded.
Types of vulnerabilities
Critical
Important business
Up to $10,000*
General business
Up to $5,000*
Edge business
Up to $2,500*
*We may pay higher for critical bug reports on a case-to-case basis.
Critical severity issues present an enormous risk to our clients or to Deriv itself. They often affect relatively low-level components in our infrastructure. For example:
- Arbitrary code/command execution on a server in our production network
- Arbitrary queries on a production database
- Bypassing our sign-in process, either password or 2FA
- Accessing sensitive production user data and internal production systems
- Payment-related vulnerabilities that could result in loss to our clients and the company
High
Important business
Up to $5,000
General business
Up to $2,500
Edge business
Up to $1,000
High severity issues are generally more narrow in scope than critical issues, but they may expose sensitive client and company data to attackers. For example:
- Cross-server scripting (XSS) that bypasses content security policy (CSP)
- The ability to bypass verification, log in to clients’ accounts or devices, extract clients’ sensitive data, and perform actions without consent
- Gaining access to back-end code, internal session cookies, or other sensitive information
- Exploiting interactive logic issues that can cause loss to clients
Medium
Important business
Up to $500
General business
Up to $250
Edge business
Up to $100
Medium severity issues allow attackers to gain unauthorised access to read or modify a limited amount of sensitive data. This data is usually less sensitive than the data exposed by high severity issues. For example:
- The ability to access a limited portion of clients’ sensitive information, our back-end code, or internal information on GitHub
- XSS that does not bypass CSP and does not execute unauthorised actions in another user’s session
- Cross-site and server-side request forgery (without access to our internal network)
- Subdomain takeover
Low
We’ll reward reports on low-level vulnerabilities only if they help us fix severe security issues, and we’ll decide the reward amount on a case-to-case basis.
Low severity issues expose an extremely limited amount of data. They may violate an expectation of how something is intended to work, but without privilege escalation or the ability to trigger unintended behaviour. For example:
- Triggering debug error pages without proof of exploitability or obtaining sensitive information
- Cross-site request forgery (non-critical)
- Vulnerabilities depended on difficult scenarios or pre-conditions
- Exposed logs without sensitive information