Our team of experts make every effort to deliver high-quality fintech products and technologies to the crypto community. However, there is always room for improvement and we'd like to partner with responsible security researchers in continuing our effort to keep our clients safe. For severe vulnerabilities, we offer monetary rewards.
Responsible Disclosure Policy
You disclose responsibly if you:
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit, written permission of the account holder that you can provide to HaasOnline.
A valid report is any in-scope report that clearly demonstrates a software vulnerability that harms HaasOnline or HaasOnline customers. A report must be valid and in scope to qualify for a bounty. HaasOnline will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.
Bounty Rules
Adhere to the Responsible Disclosure Policy above
- Do not attempt to gain access to another user's account or information (use your own test accounts)
- Report only original and previously undisclosed bugs
- Do not disclose a bug publicly before it has been triaged or fixed
- Do not use scanners or automated tools to find bugs
- Interacting with customers is forbidden
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
- Do not attack the reliability or integrity of our services (e.g, no DDoS attacks, blackhat SEO techniques, spamming, or similar questionable acts)
- Employees of HaasOnline and its subsidiaries are ineligible
If not properly addressed or have questions, please contact us for clarification.
Services in Scope
Services provided on the following domains by HaasOnline are eligible for our Bug Bounty Program:
- haasonline.com
- HaasOnline TradeServer Cloud
- app.haasstage.com
- app.haasbot.com
- HaasOnline APIs
Note: Upon request we will provide temporary licenses/subscriptions for you to test with.
Services provided on independent domains like help.haasonline.com and wiki.haasonline.com are not included in the bounty program, though HaasOnline could give bounties at our sole discretion for reports on subdomains that lead to a critical vulnerability on the main website or services.
Qualifying Bugs
Any design or implementation issue that could result in substantial financial loss, data breach, or service degradation is within scope including, but not limited to:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF)
- Authentication or authorization flaws
- Server-side code execution bugs
- Remote code execution
- Leakage of sensitive data
- Licensing or subscription bypass
- Local file inclusion
Non-Qualifying Bugs
Depending on their impact, some disclosures may not qualify. Vulnerabilities in the following areas are examples of common exclusions:
- Software packages not produced by HaasOnline, including WordPress
- Domains hosted by third parties
- HaasOnline branded services operated by third parties
- HaasOnline open-source projects or community created content
We generally are not interested in the following problems:
- Any vulnerability with a CVSS 3 score lower than
4.0, unless it can be combined with other vulnerabilities to achieve a higher score. - Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.
- Form rate limits, captcha,
- Disclosures which are not actually bugs will not be awarded. For instance the absence of explicit "security" flag on cookies because we use HTTP Strict-Transport-Security
- Self-XSS. Only the cases where a less-privileged user is able to execute XSS attacks on a higher-privileged user will be under the bug bounty scope.
- Open API endpoints serving public data (Including usernames and user IDs)
- Path disclosures for errors, warnings, or notices
- Mixed content warnings for passive assets like images and videos
- Lack of HTTP security headers (CSP, X-XSS, etc.)
- Output from automated scans – please manually verify issues and include a valid proof of concept.
- Clickjacking with minimal security implications
- Theoretical vulnerabilities where you can’t demonstrate a significant security impact with a PoC.
Other
- Bounties are awarded at the sole discretion of HaasOnline
- Multiple bounties will not be awarded for variations or multiple instances of the same bug
- Duplicate entries will only be awarded to the first submission
Reward Guidelines
Our program loosely uses the Bugcrowd VRT for prioritizing and rewarding disclosed vulnerabilities.
We pay monetary rewards for valid P1 (Critical) and P2 (Severe) findings, with a particular focus on issues that compromise user accounts or expose customer data. Examples that qualify include:
- PII Leakage / Exposure (P1) – any unauthenticated or cross-account disclosure of customer data such as email addresses, names, billing details, license keys, API keys, or trading credentials
- Authentication Bypass (P1) – logging in as another user without their credentials, or accessing authenticated resources without a valid session
- Disclosure of Secrets (P1) – exposed API tokens, signing keys, database credentials, or similar secrets on a public asset
- Account Takeover (P2) – OAuth/SSO misconfiguration, password reset flaws, or session handling bugs that let an attacker take control of another user’s account
Lower-priority findings (P3–P5) typically do not receive a monetary payout but are still appreciated and may be acknowledged at our discretion.