Programs CEX · Trading BitFix (bitfix.pro)
Active Program $5,000 flat · validated critical Spot UI · APIs · WS feeds · custody · withdrawals · full mesh

BitFix (bitfix.pro) Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

BitFix at https://bitfix.pro/ runs as a lightweight, non‑KYC‑style crypto exchange front-end: web/mobile trading shells, account sessions, REST + WebSocket market and order APIs, internal ledgers or balance projections, deposit/withdraw queues, hot‑wallet orchestration, rate limits, admin/risk consoles — collectively the entire BitFix-operated perimeter is in-scope with no artificial carve-out appendix. Every confirmed critical validated with a reproducible exploitation chain pays exactly $5,000 USD. Acceptance requires both a numbered attack chain narration and evidence that the exploitation actually succeeds (replayable scripts that move balances, duplicate withdrawals, poison order state, leak cross-user positions, SSRF into signing paths — prose alone collapses payouts). Researchers still owe lawful testing in their jurisdiction; “non‑KYC” describes product posture, not permission to break criminal rules.

BountyHunter Editorial

Security Research Desk

Published
Reading time9 min
StatusLive · Accepting reports
Start Hunting View Scope
Critical payout $5,000 USD · each validated report
Avg. triage ~48h exchange-ops pattern
Capital at risk Extreme balances · withdrawals · keys
Scope all BitFix-operated stacks
Proof bar Chain + PoC kill chain · attack succeeds
01 — Overview

Exchange & custody surfaces under stress

BitFix concentrates open sessions, signed API keys, order-matching or synthetic book state, deposit tagging, withdrawal reconciliation, webhook or callback integrity, hot‑wallet policy thresholds, and staff tooling that can freeze or release funds — fertile ground for balance manipulation, cross-account bleed, and withdrawal races the moment concurrency or authz weakens. This playbook rewards only highest-impact, fully demonstrated criticals — each earns $5,000.

The venue markets itself as non‑KYC: onboarding friction stays purposefully low for traders, but that only increases reliance on session + custody correctness — not an invitation for testers to launder or harm unrelated custodial banks. In scope materially: every host under bitfix.pro and sibling subdomains they light up for trading/APIs, market-data WebSockets, mobile deep links, custody/bank integrations BitFix controls, historical market DB shards, risk cron jobs, signing services. Civil exclusions only: theft-as-a-service against counterparties outside the bounty program, harassment, indiscriminate ransomware — society-level bans, not endpoint lists.
Always keep sandbox mirrors humane: avoid mainnet fund theft even if you can; prove impact on isolated fixtures when possible.

Minimum evidence bar — non-negotiable:
1️⃣ Kill chain from root cause → exploit steps → measurable loss or integrity break  2️⃣ Proof the attack succeeds (replayed APIs showing balance drift, withdraw replay, admin boundary cross). Narratives without replayable exploits stall below payout threshold.
02 — Why this matters

Why hammer BitFix?

Flat $5K critical payouts

Validated critical exploits with reproducible payloads earn exactly $5,000 USD — no spreadsheet bingo.

Trading + custody blast radius

Order APIs, WS books, withdraw workers — bugs cash out as silent drift until someone scripts the replay.

No fake micro-scope list

If BitFix can patch it — matching engine glue to wallet cron — testers escalate until severity lands.

Responsible disclosure halo

Demonstrated chains earn coordinated publication credit after fixes ship.

03 — Reward

$5,000 per validated critical

There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, parallel withdraw harnesses, WS replay dumps, signing traces…).

Critical $5,000 USD ea.

Unauthorized withdrawals or balance inflation at scale; forging signed API/withdraw intents; universal read of other users’ positions or deposit history; break-glass access to signing or treasury policy; persisted RCE in trading or custody control plane; SSRF into HSM/KMS bridges BitFix exposes.

  • Cross-user ledger bleed, margin math desync, or duplicate settlement
  • Withdraw/deposit pipeline integrity break exploitable remotely
  • SSRF from BitFix workers to cloud signing metadata planes
Operational truth: If you can't yet prove the exploitation moves money state inside BitFix’s trust boundary, iterate on mirrors until logs objectively show success — triage shelves “maybe” theories.
04 — Scope inventory

Illustrative map (non-exhaustive)

Rows below do not cap surface. Anything BitFix hosts, signs, matches, settles, or withdraws through counts as bounty ground. “Not listed” ≠ “out-of-scope.”

Surface Class Critical payout
bitfix.pro, *.bitfix.pro, trading UI & static assets Web · CDN $5,000 / validated bug
REST trade + account APIs · FIX/websocket feeds if exposed Backend $5,000 / validated bug
Deposit watchers · withdrawal queues · custody policy workers Custody $5,000 / validated bug
Risk/admin consoles · support impersonation tooling Ops $5,000 / validated bug
05 — Scope policy

Everything BitFix operates — no exclusions list

Sandbox order books, canary wallet clusters, Grafana for matching latency, Telegram/bot hooks for risk alerts, partner liquidity APIs fronted by BitFix — all eligible when critical impact reproduces.

  • Vanity domains CNAME’d into BitFix edge — show DNS/traffic proof in your write-up.
  • Wallet connector SDKs or bookmarklets BitFix ships to traders
  • Colocated market-making containers they operate
  • Bridge or on-ramp callbacks verified with BitFix-issued secrets
Legal floor (not bounty shrink): laundering, indiscriminate draining of unrelated liquidity venues, harassment — always off-limits even if endpoints tempt you.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing fund/state impact — not paper analysis alone.
  2. Number your hops. Session/API primitive → escalation → treasury or book integrity break.
  3. Minimize real-user blast radius. Prefer mirrors, low-value accounts, and reversible payloads when demonstrating theft-class bugs.
  4. Private coordination first. Use official intake on bitfix.pro before public threads.
  5. Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
07 — Submit

How to submit a report

Use the security / vulnerability disclosure contact published on https://bitfix.pro/ (security@bitfix.pro is a common guess — verify on the live site before emailing). Template below.

Report Template 
# Title
[Critical][Exploit-Proven] <tight title>

# Executive summary — trader/treasury impact in one paragraph

# Severity self-classification → must map to BitFix critical definitions above

## Attack chain narrative (numbered, no gaps)
1. Preconditions (session, API key tier, market symbol, account ID)
2. Entry primitive — HTTP/WS line + signature headers
3. Pivot(s) → privilege/order/withdraw escalation
4. Final hop → balance theft / forged payout / infra takeover equivalent

## Successful exploitation evidence
• Scripted replay showing ledger/withdraw impact
• Parallel request traces (race/double-spend)
• Custody or admin log lines proving attacker-forged intent accepted

## Reproduction package
Commands + fixtures + commit/patch SHAs

## Disclosure ack
Private channel only until BitFix clears publication
Gating reminder: Missing chain steps or lacking replayable exploitation bumps the ticket to rework — no payout until solved.
08 — Example

Node.js vignette · pair with reproducible withdraw replay

Illustrative race on debit + enqueue — worthless without packet captures proving two withdrawals settle from one balance on bitfix.pro.

Node · illustrative misuse 
// BUGGY: non-atomic balance check + debit — parallel wins double payout
async function requestWithdraw(userId, amount) {
  const bal = await db.getBalance(userId); // read
  if (bal < amount) throw new Error('insufficient');
  await db.debit(userId, amount);            // write — needs DB lock / serializable txn
  await queue.enqueuePayout(userId, amount);
}
09 — FAQ

Frequently asked questions

Is anything “out of scope” besides crime?

No discretionary product carve-outs — only legal/ethical bases. If BitFix routes traffic there, document the chain until triage rejects specifics.

Theory-only reports?

No payout. $5K demands reproducible success proof.

Staging fair game?

Yes when BitFix operates and labels it; mirror production auth & matching semantics.

Duplicates?

Fastest fully valid PoC wins treasury.

Lower severities?

Not under the $5K critical rubric — escalate impact or accept non-cash acknowledgement.

Critical chain + working exploit = $5,000

No narrow scope appendix — document the attack, prove it lands, file privately.

Submit a Report Read the Scope