Totalcoin Bug Bounty Program

You can send bug report via email: [email protected] 

Rewards are distributed depending on the severity of the reported vulnerability.

Please, note that the program does not apply for bugs found on our web portal ( ). No rewards will be distributed for bugs found on the portal.

Severity Level USD
Low     up to 200.00
Medium up to 500.00
High up to 2,500.00
Critical up to 30,000.00



  • Non-critical impact on performance of the platform
  • Lack of rate-limits (with impact)


  • XSS (with impact)
  • CSRF (with impact)


  • RCE
  • 2FA bypass
  • Privilege escalation attack
  • Critical impact on performance of the platform
  • Reading or changing of large amounts of sensitive data


  • Authentication bypass
  • Unauthorized asset transfer
  • Manipulating funds balances

Ineligible conditions of Bug Bounty Program

  • Social Engineering
  • Any vulnerabilities in third-party or open-source libraries/software
  • Physical access to a user’s web browser or smartphone
  • DDOS (Distributed Denial of Service) attacks
  • Vulnerabilities that require 'MITM'
  • Any kind of brute-force attacks
  • Spam
  • Not reproducible vulnerabilities
  • Business logic errors
  • UX issues not relating to security impacts

Bounty payout is carried out in BTC or USDT to the internal Totalcoin platform address.