Home Markets Trade Portfolio Dashboard

Bug Bounty Program

Help us keep NovaTrace secure and earn rewards for responsibly disclosing vulnerabilities.

$2.5M+
Total Paid to Researchers
1,200+
Bugs Resolved
500+
Active Security Hunters
$100,000
Maximum Reward per Bug

Reward Tiers

Critical

$10,000 – $100,000

Remote code execution, smart contract exploits, unauthorized fund access, authentication bypass affecting all users, private key exposure, or complete system compromise.

High

$5,000 – $10,000

Privilege escalation, significant data leaks, CSRF on critical actions, SQL injection, server-side request forgery (SSRF), or vulnerabilities enabling unauthorized trading.

Medium

$1,000 – $5,000

Cross-site scripting (XSS), insecure direct object references, information disclosure of sensitive data, session management flaws, or API rate limit bypasses.

Low

$100 – $1,000

Open redirects, clickjacking on non-sensitive pages, verbose error messages, minor information leaks, missing security headers, or low-impact configuration issues.

Program Scope

In Scope

  • NovaTrace web application (novatrace.com)
  • NovaTrace REST and WebSocket APIs (api.novatrace.com)
  • iOS and Android mobile applications
  • Authentication and authorization systems
  • Trading engine and order matching system
  • Wallet and withdrawal infrastructure
  • Smart contracts deployed by NovaTrace
  • Payment processing and fiat on-ramp systems

Out of Scope

  • Social engineering or phishing attacks on staff
  • Denial of service (DoS/DDoS) attacks
  • Physical security testing or office access
  • Third-party services, integrations, or dependencies
  • Bugs in outdated browsers or deprecated features
  • Self-XSS or issues requiring unlikely user interaction
  • Missing best practices without demonstrated impact
  • Spam, rate limiting, or brute force without real impact

Submission Guidelines

  1. Discover a vulnerability — Test only against your own accounts. Never access, modify, or delete data belonging to other users.
  2. Document your findings — Provide a clear description, reproduction steps, screenshots or video proof-of-concept, and potential impact assessment.
  3. Submit your report — Email your findings to security@novatrace.com with the subject line "[Bug Bounty] - Brief Title". Include your NovaTrace user ID for reward payout.
  4. Wait for triage — Our security team will acknowledge your report within 24 hours and provide an initial severity assessment within 72 hours.
  5. Coordinate disclosure — Do not publicly disclose the vulnerability until we have confirmed the fix has been deployed. We ask for a minimum 90-day disclosure window.
  6. Receive your reward — Once the fix is verified and deployed, bounty payments are processed within 14 business days via your preferred method (crypto or bank transfer).

Rules of Engagement

Use test accounts only

Create your own test accounts. Never interact with other users' data or accounts.

No automated scanning

Do not use automated vulnerability scanners against production systems without prior approval.

Keep it confidential

Do not discuss or disclose findings publicly until the issue has been resolved and approved.

Act in good faith

Make a genuine effort to avoid privacy violations, data destruction, and service disruption.

Hall of Fame

Recognizing our top security researchers who have made NovaTrace safer for everyone.

Alex Chen

28 vulnerabilities reported

6 Critical

Sarah Kim

22 vulnerabilities reported

4 Critical

Marcus Rivera

19 vulnerabilities reported

8 High

Priya Patel

15 vulnerabilities reported

5 High

Ready to Hunt?

Join hundreds of security researchers protecting the NovaTrace platform and earning rewards.

Submit a Report