Get Rewards for finding Bugs

bug bounty at CoinDCX

CoinDCX is one of the most secure and safe exchanges both in India and across the globe. At CoinDCX, the security of the digital assets and the private information of our users is paramount. Our platform is built with industry-leading security protocols that are regularly tested to check any violations. Whenever loopholes are found in the system, we plug them immediately without any errors.

CoinDCX recognizes the value of security experts and researchers in helping us with making our community safer. This is why CoinDCX is introducing its BUG BOUNTY PROGRAM.

We encourage responsible disclosure of security vulnerabilities via this program. Please follow the program policies to report your bugs. Breaching the program policies can also result in legal consequences on the violator.

Program Policies

A Valid Report is a report that clearly states a platform vulnerability that poses threat on CoinDCX or CoinDCX customers. A report must be valid, in scope report in order to qualify for a bounty. CoinDCX will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.

Rewards Criteria

The rewards of the Bug Bounty Program will be determined based on the severity of the reported bug.

Low- USD 100 in BTC

Medium – USD 500 in BTC

High – USD 750 in BTC

Critical – USD 1000 in BTC

Note – This program is for the disclosure of platform security vulnerabilities only. If you believe your CoinDCX account has been compromised, kindly raise a support ticket at [email protected]

What To Include In The Report

The report must demonstrate a platform vulnerability in services provided by CoinDCX to CoinDCX and CoinDCX customers. The report must clearly explain the severity of the exploitation of the platform and other following consequences the reported bug can have. The severity of the bug will be evaluated based on the exploitation and the consequences a bug can pose on the platform. We suggest to keep the report as detailed as possible. If the report is not detailed enough to reproduce the issue, the issue might result in lesser reward than the stated.

Responsible investigation and reporting includes agreement to the following policies:

  • Violation of the privacy of other users, destruction of data, disrupting our services, or any activity of similar nature are strictly prohibited.
  • Use your own accounts in the process of investigating the bug. Don’t target, attempt to access, or otherwise disrupt the accounts of other users.
  • Don’t target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
  • Report the bug only to us and not to anyone else. Details of the vulnerabilities should not be shared with any other party.
  • Maintain a good faith effort to preserve the confidentiality and integrity of any CoinDCX customer data
  • Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
  • Any Social Engineering attacks against CoinDCX employees will be considered a violation of Program Policies. Researchers engaging in such activities will be banned from the program.
  • In general, please investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to us or our users. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.

Eligible Vulnerabilities

Bugs that are eligible for this program are following:

  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Code Injection
  • Remote Code Execution
  • Privilege Escalation
  • Authentication Bypass
  • Clickjacking
  • Leakage of Sensitive Data
  • Indirect Object reference(IDOR)

Ineligible Vulnerabilities

Bugs that are out-of-scope hence stand ineligible for this program are following:

  • Bugs on sites hosted by third parties (CoinDCX Support) unless they lead to a vulnerability on the main website.
  • Bugs on the blog (
  • Bugs contingent on physical attack, social engineering, spamming, DDOS attack, etc.
  • Bugs affecting outdated or unpatched browsers.
  • Bugs in third-party applications that make use of CoinDCX’s API.
  • Bugs that have not been responsibly investigated and reported.
  • Bugs already known to us, or already reported by someone else (reward goes to first reporter).
  • Issues that aren’t reproducible.
  • Issues that we can’t reasonably be expected to do anything about.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user’s device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Path disclosure.
  • CSP Headers, X-Frame-Options, Content sniffing, HPKP, etc
  • Non sensitive information, such as product version
  • Public user information, such as nick name / screen name
  • Published and non-published SPF and DMARC policies
  • Missed SSL or another BCP for products beyond the main scope
  • Security of rooted, jailbreaked or otherwise modified devices and applications
  • Ability to reverse-engineer an application, lack of binary protection
  • Open redirects on dedicated redirectors are not accepted. Open redirects for product domains are accepted in few scopes, but are not qualified for reward. If additional security impact is identified, e.g. ability to steal authenticated information or funds, the report can be accepted for any scope, bounty depends on the scope policy for client side vulnerabilities.
  • Plain text, sound, image, video injection into server’s reply outside of UI (e.g. in JSON data or error message) if it doesn’t lead to UI spoofing, UI behavior modification or another negative impact.
  • IDN homograph attacks
  • XSPA (IP/port scanning to external networks)
  • Ability to send large amount of messages, spam or malware file
  • Unused or properly restricted JS API keys (e.g. API key for external map service)
  • Ability to perform an action unavailable via user interface without identified security risks
Daily Trading Volume

Report Your Bug

To report your bug kindly take the following steps

  • Try to include as much information in your report as you can, including a description of the bug, its potential impact, and steps for reproducing it or proof of concept.
  • Please allow 2 business days for us to respond before sending another email.
  • CoinDCX reserves the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.