SwiftBit

Responsible Disclosure

Bug Bounty Program

Help us protect 248,000+ users. Earn up to $50,000 for critical vulnerabilities.

Report a Vulnerability

$340K+

Total rewards paid

180+

Reports resolved

< 48h

Average triage time

Reward Tiers

Critical$10,000 – $50,000
  • Remote code execution on SwiftBit infrastructure
  • Authentication bypass allowing account takeover
  • Private key or seed phrase exposure
  • Direct theft of user funds via smart contract exploit
High$2,500 – $10,000
  • SQL injection or NoSQL injection with data exfiltration
  • Privilege escalation to admin-level access
  • Bypassing transaction signing or approval mechanisms
  • Mass account enumeration exposing PII
Medium$500 – $2,500
  • Stored XSS with significant impact
  • CSRF on sensitive actions (transfers, settings)
  • Insecure direct object references (IDOR) to other users' data
  • Bypassing rate limits on authentication endpoints
Low$100 – $500
  • Reflected XSS with low exploitability
  • Open redirect to a non-sensitive resource
  • Missing security headers (HSTS, CSP, etc.)
  • Information disclosure of non-sensitive data

In Scope

  • app.swiftbit.com (web platform)
  • api.swiftbit.com (REST API)
  • SwiftBit iOS & Android applications
  • auth.swiftbit.com (authentication service)

Out of Scope

  • Social engineering attacks against SwiftBit staff
  • Physical attacks against SwiftBit offices or infrastructure
  • DoS / DDoS attacks
  • Issues requiring unlikely user interaction
  • Vulnerabilities in third-party services we use
  • Known CVEs not yet patched upstream

Responsible Disclosure Rules

  • • Do not access, modify, or delete data belonging to other users.
  • • Do not perform actions that could disrupt service availability (DoS).
  • • Do not disclose the vulnerability publicly before we have released a fix.
  • • Give us at least 90 days to patch before public disclosure.
  • • Only test against accounts you own or have explicit permission to test.
  • • Report all findings to swiftbitsupport@outlook.com with full reproduction steps.

Researchers who follow our responsible disclosure policy will not face legal action. SwiftBit reserves the right to determine reward amounts based on impact and quality of report.