Welcome To Barter Trade

Bug Bounty Program

The Barter Trade Bug Bounty Program will benefit only those security researchers who reliably pursue the disclosure guidelines. They should also not share the information of the vulnerability with the public. Please note that it may take us a few days to review and respond after the receipt of your report.

Ensuring security is of utmost importance to us. We appreciate and reward the responsible notification of vulnerabilities found in Barter Trade.

Rewards

There are different types of rewards given depending on the technical severity of bug reported during the beta testing phase.

*Major Critical Moderate Low
Rewards for this we suggest to do $500 - $1000 in USD and the rest in BRT tokens. Rewards for this we suggest to do $50 - $100 in USD and the rest in BRT tokens. Rewards for this we suggest to do $5 - $25 and the rest in BRT tokens
  • Bugs in system architecture, 
  • Vulnerabilities in the back door
    (e.g. possibility of DDOS)
  • Server backdoor vulnerabilities 
  • Errors in the code
  • Trading overloading issue
  • Orders calculation errors
  • Order execution time calculation
  • Errors in order types
  • Sign up and sign in problems
  • UI errors and bugs
  • 2FA captcha error

In general, any bug that has the possibility to threaten a data breach or financial loss is considered in highest severity. All Barter Trade Exchange services (Exchange & API) are normally eligible for the Bug Bounty Program. In certain cases, we also entertain defense in depth reports or other best practices for the reward at our own discretion.

Barter Trade will issue rewards within 4 - 6 weeks of receiving the bug report. Please include your ERC-20 address to receive rewards. An equivalent ETH or BRT will be sent to your ERC-20 address.

In Scope Vulnerabilities:

Security concerns which typically qualifies (though not necessarily in all cases) for the Bug Bounty Program include:

  • Remote Code Execution
  • CSRF (Cross-Site Request Forgery)
  • SQL Injections
  • File Inclusion (Remote & Local)
  • XSS (Cross-Site Scripting)
  • Privilege Escalations
  • Manipulation in Account Balance
  • Code Executions
  • Authentication Bypasses
  • SSRF (Server Side Request Forgery)
  • Leakage of privileged information/sensitive data
  • Payment Manipulation
  • Protection Mechanism Bypasses
  • Directory Traversal
  • Partial Authentication Bypass
  • Vulnerabilities that can amount to data or financial loss
  • Open redirects that may lead stolen secrets/tokens
  • Administration portals that lack authentication mechanism
Please Note:  Privileged information includes API keys, passwords, social security numbers, bank account numbers or equivalents.

Out of Scope Issues:

The issues which do not come under the category of the bounty program include:

  • Captcha related concerns
  • Denial of Service (DoS) attacks
  • Cache Poisoning
  • Deficient rate limiting mechanism
  • Open redirects that do not have serious impacts
  • Click jacking
  • Self XSS
  • Application stack traces
  • CSRF issues on actions with minimal impact
  • Brute force attacks
  • Missing SPF Records
  • CSRF issues on minimal impact actions
  • Security practices such as missing security header
  • Third party vulnerabilities unless it affects the main site
  • Vulnerabilities on spamming, social engineering, DDoS attack
  • Vulnerabilities of outdated OS
  • Vulnerabilities that results in MiTM (Man-in-the-Middle) attacks
  • Issues that are not reproducible
  • Issues that cannot be corrected.
  • Bugs that are already reported to us by someone else
  • Bugs reported without following the rules and regulations of Barter Trade
  • Issues related to cache control
  • Bugs in website or products in any acquisition for a 180 days period of 180 after any public announcement.
  • Reports which affect of our system’s operation, problems that can be solved by the customer on his own.

Guidlines and Rules:

To participate in our program, please follow the given rules and guidelines:

  1. You can participate in this program if:
    1. You are at least 14 years old. If you are 14 years of age, but considered as a minor at the place of you reside, you need to obtain the permission of your parent or legal representative to participate in this Bug Bounty Program
    2. You are an individual security researcher using your own capabilities
    3. You are NOT an active employee of Barter Trade or its subsidiaries, business partners or the closest family (parent, relative, spouse or child) of such an employee
  2. Report their finding about any errors by writing to us directly using this form without making any information public and to other entity.
  3. Keep the information about the vulnerability you have discovered confidential. It is expected to the researcher do not access or destroy the others user’s data.
  4. Do not exploit them without any permission.
  5. If the same vulnerability is reported by others researchers at the same, then the reward will go to the first person who reported it earlier.
  6. Fill out the form when you find any bugs during the beta testing. You can reupload the form as many times as you want. Remember, it is *first come first serve* until all the rewards has been distributed to all users.
  7. Do not compromise any private data, degradation or interruption of any service.
  8. Do not modify or access the data of other users. All tests must be localized in your account only.
  9. Do not try to exploit DDoS/DoS vulnerabilities, spam or social engineering attacks.
  10. In the event that you discover chain vulnerabilities, we are liable to pay you only for the one with the highest severity.
  11. In case of multiple bug discoveries, only the first bug will be considered eligible for reward.
  12. Stay within the defined scope of the program, without breaking any preset rules.
  13. Do not disclose any information of vulnerabilities publicly until you are granted the right to do so.
  14. Do NOT send any tokens to our platform. We will provide you with tokens to beta test our platform.
  15. We reserve the right to publish lists of error reports and a list of experts who provided useful reports on security errors. You can notify us that you want to remain anonymous to the public, but we need to know your legal name and address to pay you.

Prohibited activities

  • You should not use errors for your own or for third-party benefits, nor for damage to our trading system, software, etc.
  • You must not disclose the contents of your error report or publish it on other resources.
  • You should not break the law or compromise any data that is not your own, when testing an error or sending an error report.
  • When investigating an error, you should focus only on your own accounts. Never try to gain access to someone else's account or data and do not commit to any actions that may be unacceptable or damaging to other Barter Trade users or Barter Trade itself.
  • When researching, you should not attempt to perform the following methods: DDoS attacks, the use of black technologies for SEO spies, spam people, do not write and do not use Expert Advisors that are error-based.
  • We also prevent the use of testing tools that are known to automatically generate huge traffic on the website/application.

If our team finds out that you have committed any of the actions specified above, you will not be able to receive the award. If you report an error used during a current or past attack, and we have reason to suspect that you are an intruder, we reserve the right not to pay a reward.

Submission process:

If you have found any security vulnerability on our platform, please do send the detail about it to us using this form.

Your report should contain the following details:

  1. A description regarding the impact and location of vulnerabilities
  2. Provide a proof of the reported vulnerability through a script/screenshots/video. Use of public platforms such as YouTube, Ingur etc for uploading the files is strictly prohibited.
  3. More the information you provide through text, screenshots, short video the easier it gets for our developers and the more likely we are able to reward you if we can clearly identify the problem.
  4. The details should preferably include the URL, a description of the browser, device, OS, app version and the parameters affected
  5. A description of the impact caused by the vulnerability as perceived by you.
  6. A detailed description of the steps involved to recreate the bug
  7. Suggestions for solving the issue (optional).
  8. Email details for communication.
  9. ERC 20 wallet address to deposit the reward.
  10. The Security Team will be in touch, usually within 24 hours

To participate, sign up on www.bartertrade.io . If you have any questions or issues, please contact us on Telegram https://t.me/BarterTradeofficial or through email support@bartertrade.io .

How is your error report examined?

Our research team will verify all correctly submitted bug reports and confirm their eligibility. Barter Trade reserves the right to determine which error report is qualified. The study time may take a while. Please note that given the number of submitted error reports and its complexity and completeness, it may take time to examine your error report. Please, refrain from disclosing the contents of your error report or publishing it on other resources.

Miscellaneous

Barter Trade reserves the full right to cancel the Bug Bounty Program at any time or for any reason it deems appropriate. Please ensure that you have carefully read and understood all the terms and conditions of this program before preparing and sending us the error report.

By sending the bug report to us, you deemed to agree to all the terms and conditions associated with this program. If you do not agree to these terms, please do not send us the error report or otherwise participate in our Bug Bounty Program.

Join Us
on Telegram