Bounty Program


Welcome to the Ionomy Bounty Program. Our mission is to provide a stable and secure platform for our users. Our users should feel confident that ionomy is taking appropriate measures to ensure stability of our wallets and the integrity of our trading engines. In order to achieve these goals we are looking outward to our fellow security professionals and inviting them to participate in our bug bounty program. If you find a flaw or security issue in our product or service, we encourage you to notify us. Ionomy will make best efforts to reply to issues reported within 2 business days, and keep the reporter informed of the progress as it is resolved.


  • Please provide detailed reports with reproducible steps.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

Program Rules

  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.


When reporting vulnerabilities, please consider - attack scenario - exploitability, and - security impact of the bug. The following issues are currently in scope:

  • Clickjacking on pages
  • Unauthenticated/logout/login
  • Vulnerable libraries with a working Proof of Concept..
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues showing an attack vector being able to modify HTML/CSS
  • OWASP top ten

Out of Scope

  • Any activity that could lead to the disruption of our service (DoS).
  • Any activity that would disrupt normal operations of Ionomy’s website, wallet or exchange

Small note

We do have Cash Bounties that range from 50 dollars to 1,000 dollars (Not every vulnerability will be classified as a cash payout unless there is proof of an actual security leak.) . Each Vulnerability will be assessed on a per case basis. We will have our Security team review each possible Valid report and that same team will be testing your exploit based of your instructions in the email. An example report is below describing how we would like your report to look to ensure our security team will be able to validate your finding which will lead to your payout getting approved.

Submit bounty reports to

Summary (what is the summary of your vulnerability)

Description( please provide a detailed description about the vulnerability)

Add details of how we can reproduce the Vulnerability
Step 2:
Step 3:

Include the browsers your Vulnerability work on

List any other documentation such as screenshot to support your finding

Once this format has been sent to the email address and you have attached any screenshots needed then please allow for 48 hours for us to respond to you. Submissions that do not follow the reporting format may be ignored/closed without action.

If we have issue reproducing your vulnerability we will contact you for further details but this will delay your potential earning of a bounty.


Home -
Facebook -
Twitter -
Forum -
Reddit -
Discord -
Telegram -
YouTube -
GitHub -
Wiki -
Support -

Have more questions? Submit a request


Article is closed for comments.