LogoLogo
X👾💡🎒
Support Docs
  • Support Docs
  • Technical Docs
  • API Docs
Support Docs
  • Start Here
    • Downloads
  • Exchange
    • Account Functions
      • Change Email
      • Take Profit & Stop Loss Orders (TP/SL)
      • Export trading history (CSV)
      • Order types and executions
      • Generate API keys for Backpack Exchange
    • Identity Verification
      • KYC Identity Verification is pending
      • How To Verify Account Identity
        • Create a new account
        • Verify Identity (KYC)
      • Supported Regions
    • Deposits and Withdrawals
      • Deposit & Withdrawal Issues
      • How to Deposit
      • How to Withdraw
      • Withdrawal Fees
      • Fiat
        • Deposit
        • Withdraw
    • Login and Security
      • Account Identity Requirements
      • Reset Password
      • OTP Passcode
      • Reset 2FA
      • I suspect unauthorized access to my account
      • Troubleshoot connectivity issues
    • Product FAQs
      • Spot Trading FAQs
      • Lend/Borrow FAQs
    • Programs
      • Points
      • Referrals
      • Affiliate Program
        • Flexible Commission Sharing
      • VIP
      • Market Maker Program
      • Token Listing Application
      • Bug Bounty Program
    • Trading Fees
    • API & Developer Docs
      • API Clients
      • Backpack Exchange Python API guide
  • Wallet
    • What is Backpack Wallet?
    • Get Started
      • Supported Browsers and Platforms
      • Import/Recover Wallet
    • Actions
      • Swap Tokens
      • Refer, Swap & Earn
      • Stake SOL
      • SOL/ETH Bridge
      • Secure NFTs
      • Add Networks
      • Connect Hardware Wallet
      • Multisig
      • Custom RPC Addresses
      • Add Developer Testnets
      • Collaboration Application Form
    • Troubleshoot
      • Hide Spam NFTs
      • Hide Tokens
      • Wallet Not Loading
      • View Secret Recovery Phrases and Private Keys
    • Technical Docs
      • Deeplinks
        • Provider Methods
          • Connect
          • Disconnect
          • SignAndSendTransaction
          • SignAllTransactions
          • SignTransaction
          • SignMessage
        • Other Methods
          • Browse
        • Handling Sessions
        • Specifying Redirects
        • Encryption
        • Limitations
  • Report Issue or Bug
    • Exchange
    • Wallet
  • Legal
    • General Legal
      • User Agreement
      • Privacy Policy
      • Cookie Policy
    • VARA Disclosures
      • Virtual Asset Standards
      • VARA License Information
      • Risk Disclosures
      • Price Quotes
      • Exchange Trading Rules
      • Complaints
      • Available Digital Assets
    • UK Crypto Regulations & Risk Disclosure
    • Backpack Wallet
      • Terms and Conditions
      • Privacy Notice
Powered by GitBook

@ 2025 Backpack Exchange

On this page
  • Rules
  • Scope of Vulnerabilities‍
  • Criteria
  • Exclusions
Export as PDF
  1. Exchange
  2. Programs

Bug Bounty Program

PreviousToken Listing ApplicationNextTrading Fees

Last updated 2 months ago

We are pleased to announce the launch of our new bug bounty program.‍

In our commitment to ensuring a secure trading environment for our users as continues to grow, we are leveraging the expertise of our community to enhance the platform's security.


Rules

Rewards are categorized into five tiers based on the severity of the identified vulnerabilities.

The reward amounts are as follows:

  • Critical: $10,000 - $100,000 USD

  • High: $5,000 - $10,000 USD

  • Medium: $500 - $5000 USD

  • Low: $50 - $500 USD

‍

Upon acceptance of your bug or vulnerability report, rewards will be disbursed in USDC. Please note that the threat level will be assessed by the Backpack security team, and Backpack reserves the sole discretion to determine whether a report meets the reward criteria.


Scope of Vulnerabilities‍

The following modules are within the scope of the bug bounty program:


Criteria

Reports should focus on the following types of vulnerabilities:

  • Issues with business logic that may result in the loss of user assets.

  • Payment manipulation.

  • Remote code execution (RCE).

  • Leakage of sensitive information.

  • Critical OWASP issues such as XSS, CSRF, SQLi, SSRF, IDOR, and similar vulnerabilities.

  • Other vulnerabilities that may result in potential loss.


Exclusions

The following issues are not within the scope of the bug bounty program:

  • Theoretical vulnerabilities that have not been proven.

  • Flaws in email verification codes, expired password reset links, and password complexity policies.

  • Clickjacking and UI redirection with minor security impact.

  • Vulnerabilities in third-party applications or software.

  • Zero-day exploits that are less than 30 days old.

  • Social engineering and phishing attacks.

  • Denial of Service (DoS) attacks.

  • Enumeration of email, phone number, or username information.

  • Known issues, duplicate submissions, or vulnerabilities already disclosed.

  • Physical attacks.

  • Vulnerabilities that can only be exploited in older versions of browsers or platforms.

  • Using known codebase vulnerabilities without actual proof.

  • Lack of security flags in cookies.

  • Issues related to insecure SSL/TLS sockets or protocol versions.

  • Content-based deception.

  • Cache management issues.

  • Internal IP or domain name leakages.

  • Missing security headers that cannot be directly exploited.

  • CSRF issues with negligible impact (such as adding to favorites, adding to cart, subscribing, etc.)

  • Issues without any security impact.

‍

‍

We look forward to your participation and thank you for helping us maintain a secure and trustworthy trading environment.

For any queries or submissions, please contact us at .

bugbounty@backpack.exchange
Backpack Exchange