Please ensure that you adhere to the following rules when submitting your bug report:

  1. All bugs must be new discoveries. Only submit a bug report that you have discovered yourself. Bug rewards will only be provided to the first person who submits a particular security vulnerability.
  2. Do not disclose the bug to anyone else.
  3. Your bug report should include a clear statement of the bug you found, which BTCC service it affects, and your proof of concept.
  4. You should not exploit the bug for profit including but not limited to stealing data from BTCC or its users.
  5. You should not use the bug to disrupt BTCC’s website or servers.

To encourage the reporting of bugs, no legal action will be taken against those who report bugs.


We categorize bug reports into low, medium, and high security risk vulnerabilities. Rewards are administered according to the following guidelines:

  1. Low security vulnerability - At least $50 USD per vulnerability discovered.
  2. Medium security vulnerability - At least $100 USD per vulnerability discovered.
  3. High security vulnerability - At least $500 USD per vulnerability discovered.

We have not set a maximum reward for the reporting of security vulnerabilities, and may increase reward amounts based on the severity of the vulnerability found. The specific amount of the bug will vary according to:

  1. The effect of the bug.
  2. The cause of the bug.
  3. Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.
  4. The process through which the bug was discovered.

Eligible Bug Types

All security vulnerabilities that threaten BTCC and its users’ data and finances are eligible for this bug bounty program. These include but are not limited to:

  • XSS.
  • CSRF.
  • SQL injection.
  • Remote code execution.
  • Authentication bypasses.

Ineligible Bug Types

The following security vulnerabilities are ineligible for this bug bounty program:

  • Self-XSS or logout-CSRF.
  • Social engineering, DOS/DDOS and other usability issues.
  • Vulnerabilities related to 3rd-party applications or APIs.
  • HttpOnly flag, secure flag, browser cache, cookie structure, protocol complexity, server version etc..
  • Already known issues, e.g. issues already reported by other researchers.

To report security vulnerabilities, please send an email to: