$2.5M+
Total Paid to Researchers
500+
Active Security Hunters
$100,000
Maximum Reward per Bug
Reward Tiers
Critical
$10,000 – $100,000
Remote code execution, smart contract exploits, unauthorized fund access, authentication bypass affecting all users, private key exposure, or complete system compromise.
High
$5,000 – $10,000
Privilege escalation, significant data leaks, CSRF on critical actions, SQL injection, server-side request forgery (SSRF), or vulnerabilities enabling unauthorized trading.
Medium
$1,000 – $5,000
Cross-site scripting (XSS), insecure direct object references, information disclosure of sensitive data, session management flaws, or API rate limit bypasses.
Low
$100 – $1,000
Open redirects, clickjacking on non-sensitive pages, verbose error messages, minor information leaks, missing security headers, or low-impact configuration issues.
Program Scope
In Scope
-
NovaTrace web application (novatrace.com)
-
NovaTrace REST and WebSocket APIs (api.novatrace.com)
-
iOS and Android mobile applications
-
Authentication and authorization systems
-
Trading engine and order matching system
-
Wallet and withdrawal infrastructure
-
Smart contracts deployed by NovaTrace
-
Payment processing and fiat on-ramp systems
Out of Scope
-
Social engineering or phishing attacks on staff
-
Denial of service (DoS/DDoS) attacks
-
Physical security testing or office access
-
Third-party services, integrations, or dependencies
-
Bugs in outdated browsers or deprecated features
-
Self-XSS or issues requiring unlikely user interaction
-
Missing best practices without demonstrated impact
-
Spam, rate limiting, or brute force without real impact
Submission Guidelines
-
Discover a vulnerability — Test only against your own accounts. Never access, modify, or delete data belonging to other users.
-
Document your findings — Provide a clear description, reproduction steps, screenshots or video proof-of-concept, and potential impact assessment.
-
Submit your report — Email your findings to security@novatrace.com with the subject line "[Bug Bounty] - Brief Title". Include your NovaTrace user ID for reward payout.
-
Wait for triage — Our security team will acknowledge your report within 24 hours and provide an initial severity assessment within 72 hours.
-
Coordinate disclosure — Do not publicly disclose the vulnerability until we have confirmed the fix has been deployed. We ask for a minimum 90-day disclosure window.
-
Receive your reward — Once the fix is verified and deployed, bounty payments are processed within 14 business days via your preferred method (crypto or bank transfer).
Rules of Engagement
Use test accounts only
Create your own test accounts. Never interact with other users' data or accounts.
No automated scanning
Do not use automated vulnerability scanners against production systems without prior approval.
Keep it confidential
Do not discuss or disclose findings publicly until the issue has been resolved and approved.
Act in good faith
Make a genuine effort to avoid privacy violations, data destruction, and service disruption.
Hall of Fame
Recognizing our top security researchers who have made NovaTrace safer for everyone.
Alex Chen
28 vulnerabilities reported
6 Critical
Sarah Kim
22 vulnerabilities reported
4 Critical
Marcus Rivera
19 vulnerabilities reported
8 High
Priya Patel
15 vulnerabilities reported
5 High
Ready to Hunt?
Join hundreds of security researchers protecting the NovaTrace platform and earning rewards.
Submit a Report