Skip to main content

Coincall Bug Bounty Program — June 23, 2026

  • Updated

pinkmomo._Design_an_impactful_cover_for_an_announcement_heraldi_32573cfb-c28c-48e9-933d-c0fc7dc40aed.png

About the Bounty Program

Coincall is a leading global cryptocurrency derivatives trading platform. We are committed to building a trading ecosystem that is both simple to use and powerful. Through our innovative technology and user-friendly design, options and futures trading are no longer reserved only for financial experts. Instead, investors around the world can easily participate and unlock the huge potential of the cryptocurrency market.

Through Coincall, we aim to improve the capital freedom and trading efficiency of users around the world in the cryptocurrency derivatives market.

Policy

Coincall always regards the security of users’ information and funds as our top priority. Therefore, we work hard to provide the safest platform and create the safest trading environment.

We will evaluate reported security issues based on their security impact on users and all business systems under Coincall.

This bounty policy describes the rules of the Coincall Vulnerability Bounty Program, as well as the eligibility criteria and rewards for vulnerabilities.

Our rewards refer to the severity levels of CVSS, the Common Vulnerability Scoring System. Please note that these are only general guidelines. Final rewards are determined at the sole discretion of Coincall’s business and security teams based on impact and exploitability.

The minimum payout for accepted reports with lower severity but direct exploitability is USD 100. The maximum reward is USD 3,000. We may award a higher amount depending on the severity or creativity of the discovered vulnerability.

Severity

Severity
Reward Range
Examples
Critical
$1,000 - $3,000
Vulnerabilities such as unauthorized access to user funds or sensitive information, issues that may cause significant fund losses, or issues that affect normal trading. The vulnerability must be practically exploitable, not merely conceptual.
High
$500 - $1,000
 
SQL injection in core business systems, remote code execution, command execution, trading business logic vulnerabilities, etc.
Medium
$200 - $500
SQL injection in general business systems, trading business logic vulnerabilities, etc.
Low
$100
Reflected XSS, open redirects, etc.

Rewards can be paid in USDT or CALL.

Once your submission is accepted, please provide one of the following in order to receive the reward:

  • Your registered Coincall account information, such as your email address
  • Your TRC20 wallet address

We recommend that researchers create a dedicated private Coincall account.

Please note that the price of CALL may fluctuate with changes in the cryptocurrency market.

Please Note

  1. To report a vulnerability, please contact us at bug_bounty@coincall.com.
  2. Only reports that provide valid proof and demonstrate how a specific vulnerability can be exploited are eligible for rewards. Coincall reserves the right of final interpretation and the right to decide which reports meet the reward criteria.
  3. Coincall expects to work with the community to ensure that every researcher’s contribution is fairly rewarded. For security vulnerabilities that have a serious impact on the business, we will provide additional rewards.

Scope

*.coincall.com

Excluding:

  • mmjira.coincall.com
  • blotter.coincall.com
  • App

Notes

  1. Any domains or assets not listed are out of scope. If you believe that a specific asset or activity not mentioned here should be included in scope, please submit a report and briefly explain why you believe the asset should be included.
  2. Researchers must not attempt to transfer any funds. If a proof of concept requires such an attempt, the researcher must contact Coincall first and seek approval. Researchers who attempt to transfer funds without prior approval are not eligible for a bounty.
  3. If an issue reported in one of our businesses or systems also affects other businesses or systems and has the same root cause, the issue will be treated as a single issue. Please do not report the same bug multiple times.

Examples of Vulnerabilities We Care About

  • Vulnerabilities that may remotely cause users to lose funds or assets
  • Denial of service affecting core business applications, excluding DDoS and CC attacks
  • Remote code execution
  • SQL injection
  • SSRF
  • Arbitrary file read
  • Business logic vulnerabilities that may cause user fund loss or create risks for users
  • Other serious vulnerabilities

Ineligible Issues

The following issues will be closed as out of scope:

  • Theoretical vulnerabilities without a real proof of concept
  • Issues that do not affect security, such as a webpage failing to load
  • Assets that do not belong to Coincall
  • Security best-practice issues that are not directly exploitable vulnerabilities
  • Email verification flaws, password reset link expiration issues, and password complexity policy issues
  • Invalid or missing SPF records, or incomplete/missing SPF, DKIM, or DMARC records
  • Low-risk clickjacking or UI modification
  • Email or user enumeration, such as identifying whether an email is registered through password reset
  • Low-risk information disclosure, such as stack traces, path disclosure, directory listings, or logs
  • Internally known issues, duplicate issues, or publicly disclosed issues
  • Tab-nabbing
  • Self-XSS
  • Vulnerabilities related to outdated browsers or platforms, such as XSS that depends on Adobe Flash
  • Vulnerabilities related to web form autofill
  • Use of known vulnerable libraries without a real proof of concept
  • Missing security flags in cookies
  • Issues related to insecure SSL/TLS cipher suites or protocol versions
  • Content spoofing
  • Cache-control-related issues
  • Exposure of internal IP addresses or domains
  • Missing security headers that do not lead to direct exploitation
  • CSRF in non-critical functions, such as login, logout, or subscribing to non-critical features
  • Vulnerabilities requiring root or jailbroken devices
  • Vulnerabilities requiring physical access to a user’s device
  • Actions that affect normal business operations, such as DoS or DDoS
  • Reports generated by automated tools or scanners
  • Links to invalid or expired pages
  • Risks related to Zendesk or other third-party platforms
  • Spam sending
  • Social engineering
  • Any low-impact issues related to session management, such as concurrent sessions, session expiration, password reset/change logout behavior, etc.
  • Client application or browser autocomplete, or saved passwords/credentials
  • Missing or enabled HTTP headers/methods that do not directly lead to a security vulnerability
  • Reuse of password reset links or cookies
  • Issues that can only affect your own account

Risk Avoidance

  • When conducting security testing, please comply with all applicable local laws and regulations.
  • Accessing or modifying other users’ data is prohibited. Actions that interrupt services are also prohibited.
  • Exploiting vulnerabilities in a way that causes actual harm to Coincall or Coincall users is prohibited.
  • When submitting a vulnerability, please preserve the details of the issue as much as possible and avoid public disclosure until the issue is resolved.
  • Follow all relevant platform policies.

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.