Details

#Introduction Bybit is a cryptocurrency exchange established in March 2018 to offer a professional platform where crypto traders can find an ultra-fast matching engine, excellent customer service and multilingual community support. The company provides innovative online spot and derivatives trading services, mining and staking products, as well as API support, to retail and institutional clients around the world, and strives to be the most reliable exchange for the emerging digital asset class.

No technology is perfect and Bybit believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. Bybit looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Bybit Fintech Ltd will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	2 days
Time to Triage	2 days
Time to Bounty	14 days
Time to Resolution	depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Avoid employing automated scanning tools, as submissions identified through such means cannot be accepted.
Avoid negatively impacting or disruptive actions that may affect the availability of our services (e.g. DoS/DDoS)

Test Plan

If you are interested in testing our asset-related features, but lack the necessary assets to conduct testing, you can register accounts and apply test tokens in the asset dashboard via https://testnet.bybit.com. (*Please note that Testnet utilizes test coins that hold no real value. To ensure our users enjoy an optimal experience with our products, we've opted not to impose stringent 2FA restrictions. Consequently, reports of bypassing 2FA on the Testnet will not be accepted).
Web3-related assets, please refer to https://www.bybit.com/en/web3/home.
Sign Up using your HackerOne email alias
Need to contact Bybit? Feel free to contact us at [email protected]

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Any activity that could lead to the disruption of our service (DoS, DDoS).
Social engineering of our employees or contractors, unless explicitly authorized.
Attacks against our physical facilities, unless explicitly authorized.
Attacks requiring physical access to a users’ device, unless the device is in-scope and explicitly hardened against physical access.
Attacks requiring disabling Man In The Middle (MITM) protections.
Attacks only affecting obsolete browsers or operating systems.
Missing best practices (SSL/TLS configuration, Content Security Policies, cookie flags, tabnabbing, autocomplete attribute, email SPF/DKIM/DMARC records), unless a significant impact can be demonstrated.
Clickjacking or Cross-Site Request Forgery (CSRF) on unauthenticated pages / forms with no sensitive actions.
Open redirects, unless a significant impact can be demonstrated.
Self-exploitation (self XSS, self denial-of-service, etc.), unless a method to attack a different user can be demonstrated.
Content spoofing, text injection and CSV injection, unless a significant impact can be demonstrated.
Software version disclosure / Banner identification issues / Descriptive error messages or stack traces.
Issues that require unlikely user interaction by the victim.
Any attack that requires a user to interact with contract from an attacker controlled website
Chain specific vulnerabilities are excluded, (e.g. EVM or Solana runtime issues)
Integrated Dapp vulnerabilities are excluded (e.g. Uniswap、Curve、GMX、1inch)

#Downgrade Scenarios

Vulnerabilities that cannot be reproduced stably.
Issues with very small scope of impact (e.g., systems with only a few users, old systems with minimal data).
Short-lived cache poisoning with limited scope (e.g., only regional CDN nodes) or easily overwritten.
High-difficulty brute-force scenarios (e.g., 6-digit+ verification codes, passwords, authentication info).
Capital loss or controllable risks within normal business expectations.

Safe Harbor

Gold Standard SAafe Harbor applies to this program

Thank you for helping keep Bybit Fintech Ltd and our users safe!

Response Targets

Bybit Fintech Ltd will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	2 days
Time to Triage	2 days
Time to Bounty	14 days
Time to Resolution	depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Avoid employing automated scanning tools, as submissions identified through such means cannot be accepted.

Avoid negatively impacting or disruptive actions that may affect the availability of our services (e.g. DoS/DDoS)

Test Plan

If you are interested in testing our asset-related features, but lack the necessary assets to conduct testing, you can register accounts and apply test tokens in the asset dashboard via https://testnet.bybit.com. (*Please note that Testnet utilizes test coins that hold no real value. To ensure our users enjoy an optimal experience with our products, we've opted not to impose stringent 2FA restrictions. Consequently, reports of bypassing 2FA on the Testnet will not be accepted).

Web3-related assets, please refer to https://www.bybit.com/en/web3/home.

Need to contact Bybit? Feel free to contact us at [email protected]

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Any activity that could lead to the disruption of our service (DoS, DDoS).

Social engineering of our employees or contractors, unless explicitly authorized.

Attacks against our physical facilities, unless explicitly authorized.

Attacks requiring physical access to a users’ device, unless the device is in-scope and explicitly hardened against physical access.

Attacks requiring disabling Man In The Middle (MITM) protections.

Attacks only affecting obsolete browsers or operating systems.

Missing best practices (SSL/TLS configuration, Content Security Policies, cookie flags, tabnabbing, autocomplete attribute, email SPF/DKIM/DMARC records), unless a significant impact can be demonstrated.

Clickjacking or Cross-Site Request Forgery (CSRF) on unauthenticated pages / forms with no sensitive actions.

Open redirects, unless a significant impact can be demonstrated.

Self-exploitation (self XSS, self denial-of-service, etc.), unless a method to attack a different user can be demonstrated.

Content spoofing, text injection and CSV injection, unless a significant impact can be demonstrated.

Software version disclosure / Banner identification issues / Descriptive error messages or stack traces.

Issues that require unlikely user interaction by the victim.

Any attack that requires a user to interact with contract from an attacker controlled website

Chain specific vulnerabilities are excluded, (e.g. EVM or Solana runtime issues)

Integrated Dapp vulnerabilities are excluded (e.g. Uniswap、Curve、GMX、1inch)

#Downgrade Scenarios

Vulnerabilities that cannot be reproduced stably.

Issues with very small scope of impact (e.g., systems with only a few users, old systems with minimal data).

Short-lived cache poisoning with limited scope (e.g., only regional CDN nodes) or easily overwritten.

High-difficulty brute-force scenarios (e.g., 6-digit+ verification codes, passwords, authentication info).

Capital loss or controllable risks within normal business expectations.