Programs CEX · Trading · Crypto ALT5 Sigma (alt5sigma.com)
Active Program $5,000 flat · validated critical Web · REST APIs · Order Books · Custody · Withdrawals · Trading

ALT5 Sigma (alt5sigma.com) Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

ALT5 Sigma at https://www.alt5sigma.com/ operates a global crypto exchange and trading platform — serving retail and institutional traders with REST/WebSocket APIs, spot and derivatives order books, multi-asset custody, deposit/withdrawal pipelines, real-time market data, and advanced trading interfaces. The entire ALT5 Sigma-operated perimeter is in-scope with no artificial carve-out appendix. Every confirmed critical validated with a reproducible exploitation chain pays exactly $5,000 USD. Acceptance requires both a numbered attack chain narration and evidence that the exploitation actually succeeds (replayable scripts, tampered order or balance state, SSRF egress, broken authz on trading accounts, custody bypass traces — prose alone collapses payouts).

BountyHunter Editorial

Security Research Desk

Published
Reading time8 min
StatusLive · Accepting reports
Start Hunting View Scope
Critical payout $5,000 USD · each validated report
Avg. triage ~72h exchange pattern
Blast radius Critical funds · custody · APIs
Scope all ALT5 Sigma-operated stacks
Proof bar Chain + PoC kill chain · attack succeeds
01 — Overview

Exchange surfaces worth pressure-testing

ALT5 Sigma routes authenticated trader sessions through web UIs and APIs, matches orders on central limit order books, processes multi-asset crypto deposits and withdrawals, custody hot and cold wallets, emits real-time WebSocket market data, and enforces trading limits and risk controls — fertile ground for broken access control, order-book manipulation, withdrawal bypass, and cross-account state corruption if any boundary slips. This playbook rewards only highest-impact, fully demonstrated criticals — each earns $5,000.

In scope materially: every HTTP(S) origin answering for alt5sigma.com and delegated subdomains, WebSocket streams they operate, order-matching engines, custody wallets, fiat/crypto gateway integrations, risk-control and compliance pipelines, mobile app API backends, trading UIs, and any staging or preview shards ALT5 Sigma labels.
Civil exclusions only: mass harassment, ransomware against unrelated third parties, laundering. Not product carve-outs.

Minimum evidence bar — non-negotiable:
1️⃣ Narrative kill chain tying root cause → exploit steps → observable impact  2️⃣ Proof the attack succeeds (replayable scripts, fixture logs, Burp/HAR with matched responses). Narratives without a working exploitation path are graded below payout threshold.
02 — Why this matters

Why probe ALT5 Sigma?

Flat $5K critical payouts

Validated critical exploits with reproducible payloads earn exactly $5,000 USD — single paid tier on this ledger.

Custodial funds at stake

A single custody bypass or withdrawal authz gap can drain hot wallets — the blast radius is measured in real user funds, not fictional tokens.

No fake micro-scope list

If ALT5 Sigma can patch or configure it — from matching engines to custody rails — testers escalate until severity lands.

Responsible disclosure halo

Demonstrated exploits with airtight chains earn coordinated publication credit after fixes ship.

03 — Reward

$5,000 per validated critical

There is exactly one bounty amount that maps to payouts on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows must exhibit (a) attacker-readable kill-chain storytelling and (b) objective proofs of successful exploitation replayable by ALT5 Sigma responders (Burp transcripts, scripted API sequences, SSRF egress captures, custody-bypass traces…).

Critical $5,000 USD ea.

Mass account takeover or org-wide authz bypass; order-book or balance manipulation at scale; withdrawal or custody authz bypass; persisted RCE in ALT5 Sigma web or API origin; SSRF/cloud metadata pivot through exchange workers they expose.

  • Cross-account data exfiltration or fund transfer without consent
  • Critical integrity break in order matching, settlement, or balance updates
  • Break-glass SSRF from ALT5 Sigma infra to internal cloud metadata
Operational truth: If you can't yet prove the exploitation lands inside ALT5 Sigma's boundary, tighten your staging mirror until HTTP/trace logs objectively show attacker success — triage shelves "might work" theories.
04 — Scope inventory

Illustrative map (non-exhaustive)

These rows do not impose limits — shorthand for tagging reports. Anything ALT5 Sigma hosts, matches, custodies, verifies, or broadcasts counts as bounty ground even if undocumented here. Treat "not listed" ≠ "out-of-scope": default stance is open scope across ALT5 Sigma.

Surface Class Critical payout
alt5sigma.com, *.alt5sigma.com, HTML/JS/CSS, PWAs Web · CDN $5,000 / validated bug
REST/WebSocket APIs · order books · trading engine Backend $5,000 / validated bug
Deposit/withdrawal flows · custody · fiat/crypto gateways Finance $5,000 / validated bug
KYC/compliance pipelines · admin consoles · operator tooling Infra · Ops $5,000 / validated bug
05 — Scope policy

Everything ALT5 Sigma operates — no exclusions list

This playbook refuses "only these SKU endpoints." Staging shards, mirrored environments, admin panels, feature-flag planes, SMTP bridges, automation hooks ALT5 Sigma patches — all bounty eligible when critical impact is reproducible.

  • Every apex / vanity hostname routing through ALT5 Sigma edge — claim routing evidence in your chain write-up.
  • Mobile app API backends and SDK artifacts ALT5 Sigma ships toward production
  • Real-time WebSocket market data streams they operate
  • Partner OAuth or API-key consent surfaces ALT5 Sigma operates
Legal floor (not bounty shrink): harassment, indiscriminate ransomware, laundering — still barred even though technical surface is maximal.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Ship artefacts third parties rerun: scripted curl flows, Burp/HAR exports, SSRF egress captures, custody-bypass scripts with verified state mutation.
  2. Articulate kill chain granularity. Number each hop: auth boundary → abused endpoint → escalation → monetizable damage (ATO, cross-account bleed, withdrawal reroute, infra takeover…).
  3. Responsible blast radius documentation. Quantify users or accounts affected even when exercised only on staging mirrors that mirror routing + auth faithfully.
  4. Encrypt & ship privately. Use sanctioned intake on alt5sigma.com (see submit section) before broadcasting exploit details.
  5. Honor duplicate fairness. First fully qualifying chain + reproducible exploitation wins treasury on collisions.
07 — Submit

How to submit a report

Start from the security / disclosure contact publicly listed on alt5sigma.com (security@alt5sigma.com is a common pattern — verify on the vendor site before sending). Mandatory sections mirror below.

Report Template 
# Title
[Critical][Exploit-Proven] <tight title>

# Executive summary — impact in one paragraph

# Severity self-classification → must map to ALT5 Sigma critical definitions above

## Attack chain narrative (numbered, no gaps)
1. Preconditions (session / API key / account context)
2. Entry primitive — exact HTTP verb/path/query/body
3. Pivot(s) chaining trust escalation
4. Final hop → ATO / cross-account damage / withdrawal reroute / infra takeover equivalent

## Successful exploitation evidence
• Replayable script + truncated responses showing impact
• HAR / Burp with unauthorized state change
• Withdrawal or custody logs proving forged operation accepted

## Reproduction package
Commands + fixtures + pinned SHAs

## Disclosure ack
Responsible channel only until ALT5 Sigma clears publication coordination
Gating reminder: Missing kill chain granularity or lacking demonstrable exploitation success bumps the intake into "needs rework" — no payout until solved.
08 — Example

Python vignette · pair with reproducible API exploit replay

Pseudocode for withdrawal authz checks trusting unvalidated account IDs — useless without traces proving unauthenticated alt5sigma.com calls mutate protected state.

Python · illustrative misuse 
# BUGGY: withdrawal endpoint trusts client-supplied account_id without ownership check
@app.route('/api/v1/withdraw', methods=['POST'])
def withdraw():
    body = request.get_json()
    acct = body['account_id']      # attacker-controlled
    amt  = body['amount']
    addr = body['address']
    if not db.has_funds(acct, amt):
        raise InsufficientFunds()
    db.debit(acct, amt)
    broadcast_tx(addr, amt)       # attacker withdraws victim's funds
09 — FAQ

Frequently asked questions

Is anything actually "out of scope" besides illegal stuff?

No discretionary product carve-outs — only universal legal/ethical lines. If ALT5 Sigma hosts, proxies, or documents a surface, testers escalate until triage disqualifies specifics.

Do speculative write-ups without a working exploit get paid?

No. $5K critical payouts require both narrative and evidence of successful attack replay. Theory-only stalls without compensation.

Are staging / dev nets fair game?

Yes whenever ALT5 Sigma labels or operates them.
Mirror configs realistically where possible.

Duplicates?

First validated chain + reproducible exploitation wins; followers acknowledged only.

Lower severities rewarded?

Not under this $5K-flat critical playbook — escalate impact or accept acknowledgement without cash.

Critical chain + working exploit = $5,000

No narrow scope appendix — document the attack, prove it lands, file privately.

Submit a Report Read the Scope