Crypto Trading · AI Signals · 中文平台

Bitdo bitdo.ai/zh_CN

Bitdo at https://bitdo.ai/zh_CN operates as a Chinese-language crypto trading & AI signal analysis platform: real-time market data, AI-powered trading signals, exchange integrations, automated bot execution, portfolio management, and admin panels — the entire Bitdo-operated perimeter is in-scope. Each critical with reproducible chain pays $5,000 USD. Mandatory kill chain + working exploit. No fund theft against unrelated parties, laundering, or harassment — defensive coordinated research only.

$5,000 per critical
Chain + PoC kill chain · attack succeeds
01 — Overview

Chinese crypto trading & AI signal surfaces

Bitdo concentrates Chinese-language crypto trading tools: real-time market data aggregation, AI-driven signal generation, automated bot execution, exchange API integrations, portfolio tracking, and admin dashboards — fertile ground for API key theft, unauthorized trade execution, signal manipulation, database compromise, and admin account takeover. This playbook rewards only highest-impact, fully demonstrated criticals — each earns $5,000.

Bitdo serves a significant Chinese-speaking user base, storing exchange API keys and trading configurations that can control substantial funds. A single SSRF, IDOR, SQLi, or authentication bypass on the platform can cascade into fund theft at scale. In scope materially: every host under bitdo.ai, the /zh_CN locale surface, AI signal infrastructure, bot execution engines, API integrations, WebSocket feeds, admin panels, and database surfaces. Civil exclusions only: fund theft against unrelated third parties, laundering, harassment — society-level bans, not endpoint lists.
Always keep sandbox mirrors humane: prove impact on isolated test accounts when possible.

Minimum evidence bar — non-negotiable:
1️⃣ Kill chain from root cause → exploit steps → measurable loss or integrity break  2️⃣ Proof the attack succeeds (replayed APIs showing fund movement, database exfiltration, admin boundary cross). Narratives without replayable exploits stall below payout threshold.
02 — Why this matters

Why hammer Bitdo?

Flat $5K critical payouts

Validated critical exploits with reproducible payloads earn exactly $5,000 USD — no spreadsheet bingo.

Exchange API key exposure

Bitdo stores exchange API keys that can trade and withdraw — a single SSRF, IDOR, or SQLi can cascade into real fund theft across connected Chinese and international exchanges.

Admin console blast radius

Admin panels on bitdo.ai may control user data, AI signal feeds, bot fleet configuration, and fund flows — full admin access is a top-tier finding worth $5,000.

03 — Critical reward

$5,000 per demonstrated critical

$5,000 USD
Critical

A critical finding is one that leads to database compromise, admin account or console access, drainage of user funds (via stolen API keys, trade execution without consent, or signal manipulation), or any vulnerability enabling fund theft from the platform or its users.

  • SQL injection, NoSQL injection, or any DB access path that exfiltrates credentials, API keys, or user data
  • Authentication bypass granting admin-level access to the bitdo.ai control panel
  • Server-side request forgery (SSRF) exposing internal infrastructure, secrets, or database endpoints
  • Remote code execution (RCE) on bitdo.ai servers
  • IDOR or privilege escalation allowing access to other users' API keys, trade bots, or portfolios
  • Business logic flaws enabling unauthorized trade execution or fund movement across connected exchanges
04 — What's in scope

Scope & targets

Target Type Reward
bitdo.ai, all subdomains, /zh_CN locale, web UI Web $5,000 / validated bug
AI signal APIs · trading bot engine · automation backend Backend $5,000 / validated bug
Exchange API key storage · trade execution engine Custody $5,000 / validated bug
Admin panels · user management · support rails Ops $5,000 / validated bug
User databases · portfolio storage · signal history Data $5,000 / validated bug
05 — Full-scope policy

If Bitdo operates it, it's in scope

Signal relay workers, bot execution daemons, monitoring dashboards, partner integration endpoints fronted by bitdo.ai — all eligible when critical impact reproduces.

  • Vanity domains CNAME'd into Bitdo edge — show DNS/traffic proof in your write-up.
  • Telegram/WeChat bot integrations that relay signals or accept trade commands
  • Colocated automation containers Bitdo operates
  • Staging or dev shards on bitdo.ai that mirror production
  • Chinese third-party service integrations (WeChat Pay, Alipay, etc.) exposed via Bitdo
Legal floor (not bounty shrink): fund theft from unrelated third parties, laundering, indiscriminate draining of connected exchanges, harassment — always off-limits even if endpoints tempt you.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing fund/state impact — not paper analysis alone.
  2. Number your hops. Session/API primitive → escalation → treasury or book integrity break.
  3. Minimize real-user blast radius. Prefer test accounts, low-value targets, and reversible payloads when demonstrating theft-class bugs.
  4. Private coordination first. Use official intake on bitdo.ai before public threads.
  5. Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
07 — Submit

How to submit a report

Use the security / vulnerability disclosure contact published on https://bitdo.ai/zh_CN (security@bitdo.ai is a common guess — verify on the live site before emailing). Attach a clear kill-chain narrative along with replayable proof.

Unverifiable reports or those lacking demonstration of actual impact will be closed without reward.

Before submitting: verify the disclosure channel on the live bitdo.ai site. The bounty program page links to editorial guidance — always cross-reference against the platform's actual contact method.
08 — Example Report

What a critical submission looks like

Example only. This is an illustrative code snippet of a vulnerability class relevant to this platform. Actual findings must be demonstrated on the live target.
javascript 
// BUGGY: admin session cookie not scoped to path — /zh_CN/admin shares cookie with user surface
app.use(session({
  secret: 'hardcoded-secret-2024',
  cookie: { secure: true, httpOnly: true }
  // Missing: path, sameSite, and rolling regeneration
}));

async function getAdminDashboard(req, res) {
  // No CSRF token — session reuse between user and admin paths
  const users = await db.findAll('users');
  const keys = await db.findAll('api_keys');
  res.json({ users, keys });
}

A real submission would pair this with captured HTTP requests showing admin session hijacking via cookie reuse, then demonstrate exfiltration of all user API keys from bitdo.ai, enabling fund theft across connected exchanges.

09 — FAQ

Frequently asked questions

What qualifies as a critical on Bitdo?

Any vulnerability that leads to database access, admin account takeover, unauthorized trade execution using other users' API keys, fund theft from the platform or its users, or compromise of signal infrastructure — all pay $5,000 with a valid kill chain.

Are staging/dev environments on bitdo.ai in scope?

Yes — any bitdo.ai subdomain or sibling host used for development, staging, or QA is in scope if the critical impact can be demonstrated.

Does the $5,000 cover all severities?

No. Only critical findings that meet the full evidence bar pay the flat $5,000. Lower-severity issues (XSS without impact chain, informational disclosures) may be acknowledged but do not qualify for the reward.

Are Chinese-language-specific vectors in scope?

Yes — WeChat integration endpoints, Chinese SMS/2FA bypass, locale-specific session handling, and any localization-specific attack surfaces are fully in scope for critical findings.

How is the reward paid?

BountyHunter Editorial coordinates the validated submission with the platform. Payment is in USD via the method agreed during validation. Expect 30-60 days for processing after confirmation.