Programs Crypto · Trading Bots · Aggregator Bitsgap (bitsgap.com)
Active Program $5,000 flat · validated critical Web · REST APIs · Exchange Aggregator · Trading Bots · API Key Vault

Bitsgap (bitsgap.com) Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

Bitsgap at https://bitsgap.com operates a crypto trading platform connecting retail and institutional users to 15+ major exchanges — offering automated trading bots, smart order routing, portfolio management, signals marketplace, and API key vault storage for exchange integrations. The entire Bitsgap-operated perimeter is in-scope with no artificial carve-out appendix. Every confirmed critical validated with a reproducible exploitation chain pays exactly $5,000 USD. This program prioritizes funds theft, database access, and admin access — the highest-impact vectors on the platform. Acceptance requires both a numbered attack chain narration and evidence that the exploitation actually succeeds (replayable scripts, tampered balance or bot state, SSRF egress, broken authz on tenant data, custody bypass traces — prose alone collapses payouts).

BountyHunter Editorial

Security Research Desk

Published
Reading time8 min
StatusLive · Accepting reports
Start Hunting View Scope
Critical payout $5,000 USD · each validated report
Avg. triage ~72h regulated platform pattern
Attack surface Full no perimeter carve-outs
Priority targets 3 funds theft · DB access · admin access
01 — Overview

Platform surfaces worth pressure-testing

Bitsgap routes authenticated user sessions through web UIs and REST APIs, orchestrates automated trading bots across 15+ connected exchanges, stores exchange API keys in its vault, processes subscription billing, emits real-time market data, and manages user portfolios — fertile ground for API key theft, bot hijacking and fund misdirection, database access escalation, admin panel compromise, and cross-account state corruption if any boundary slips. This playbook rewards only highest-impact, fully demonstrated criticals — each earns $5,000.

In scope materially: every HTTP(S) origin answering for bitsgap.com and delegated subdomains, REST and WebSocket APIs, trading bot engine endpoints, exchange API key management surfaces, portfolio management APIs, admin panels, user profile and subscription systems, signals marketplace APIs, mobile app API backends, and any staging or preview shards Bitsgap labels.
Civil exclusions only: mass harassment, ransomware against unrelated third parties, laundering. Not product carve-outs.

Minimum evidence bar — non-negotiable:
1️⃣ Narrative kill chain tying root cause → exploit steps → observable impact  2️⃣ Proof the attack succeeds (replayable scripts, fixture logs, Burp/HAR with matched responses). Narratives without a working exploitation path are graded below payout threshold.
02 — Why this matters

Why probe Bitsgap?

Flat $5K critical payouts

Validated critical exploits with reproducible payloads earn exactly $5,000 USD — single paid tier on this ledger.

API key vault — high-value target

Bitsgap stores exchange API keys with withdrawal and trading permissions. A vault bypass or IDOR on key storage yields direct fund-level access across connected exchanges.

Trading bot engine — trust boundary

Automated bots execute trades using user API keys. A bot manipulation, order injection, or state corruption attack can drain balances across integrated exchanges in minutes.

03 — Rewards

$5,000 per validated critical — no tiers, no games

Every confirmed critical vulnerability submitted against an in-scope Bitsgap surface earns exactly $5,000 USD. There is no sliding scale, no triage-negotiated downgrade, and no "informative" bait-and-switch. If your submission demonstrates a complete kill chain with reproducible exploitation evidence, it pays the full critical rate.

The program specifically accelerates submissions targeting:

  • Funds theft — unauthorized withdrawal, balance manipulation, trade reroute, exchange API key exfiltration
  • Database access — SQL injection, NoSQL injection, backup exposure, direct DB connection leaks, data dump via SSRF
  • Admin access — admin panel authentication bypass, privilege escalation, session hijacking, admin API key compromise
Priority review: Submissions tagged #funds-theft, #db-access, or #admin-access receive expedited triage — typically within 48 hours of submission.
04 — Scope

What's in scope

This bounty covers the full Bitsgap-operated perimeter. If Bitsgap builds it, brands it, or operates it under bitsgap.com or any delegated origin, it is in scope.

Primary targets (in scope)

  • bitsgap.com — main web application (dashboard, bots, portfolio, settings)
  • app.bitsgap.com — trading application interface and authenticated API
  • api.bitsgap.com — REST and WebSocket API endpoints
  • Exchange API key vault — key storage, encryption, access control surfaces
  • Trading bot engine — bot creation, configuration, execution, and state management
  • Portfolio management — balance aggregation, transaction history, P&L tracking
  • Signals marketplace — signal provider profiles, subscription, and relay endpoints
  • User authentication & session management — login, SSO, OAuth, API tokens
  • Admin panels — any Bitsgap-administered dashboards and control interfaces
  • Payment & billing — subscription plans, invoices, payment method storage
  • Mobile app API backends — iOS/Android API surfaces

Explicit critical vectors (in scope)

  • SQL / NoSQL injection yielding database access or data exfiltration
  • IDOR or broken access control on API keys, bots, portfolios, or user data
  • Admin authentication bypass, privilege escalation, or session hijacking
  • SSRF or server-side request tampering enabling internal network pivot
  • Insecure direct object reference exposing user exchange API keys
  • RCE or code execution on Bitsgap servers
  • Database backup exposure via misconfigured storage or directory traversal
  • Cross-account trading bot hijacking or trade misdirection
05 — Full-scope policy

"Full scope" means full scope

This playbook refuses "only these SKU endpoints." Staging shards, mirrored environments, admin panels, feature-flag planes, SMTP bridges, automation hooks Bitsgap patches — all bounty eligible when critical impact is reproducible.

  • Every apex / vanity hostname routing through Bitsgap edge — claim routing evidence in your chain write-up.
  • Mobile app API backends and SDK artifacts Bitsgap ships toward production
  • Real-time WebSocket market data and bot execution streams Bitsgap operates
  • Third-party exchange integration bridges Bitsgap maintains (Binance, Coinbase, Kraken, Bybit, OKX, etc.)
Legal floor (not bounty shrink): harassment, indiscriminate ransomware, laundering — still barred even though technical surface is maximal.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Ship artefacts third parties rerun: scripted curl flows, Burp/HAR exports, SSRF egress captures, API key exfiltration scripts with verified state mutation.
  2. Articulate kill chain granularity. Number each hop: auth boundary → abused endpoint → escalation → monetizable damage (API key theft, bot hijack, DB dump, admin takeover…).
  3. Responsible blast radius documentation. Quantify users or accounts affected even when exercised only on staging mirrors that mirror routing + auth faithfully.
  4. Encrypt & ship privately. Use sanctioned intake on bitsgap.com (see submit section) before broadcasting exploit details.
  5. Honor duplicate fairness. First fully qualifying chain + reproducible exploitation wins treasury on collisions.
07 — Submit

How to submit a report

Start from the security / disclosure contact published at bitsgap.com. If the standard intake is unavailable, fall back to the editorial channel below.

Editorial intake (fallback)

Send encrypted submissions to the BountyHunter editorial desk:

PGP key 0xBOUNTYHUNTER — request via secure channel

Include [Bitgap-Critical] in subject line.

What gets rejected outright: automated scanner dumps without chain analysis, out-of-scope properties, submissions lacking exploitation proof, mass-spray reports without manual validation.
08 — Example

Python vignette · pair with reproducible API exploit replay

Pseudocode for API key vault endpoint trusting client-supplied user IDs without ownership check — useless without traces proving unauthenticated bitsgap.com calls mutate protected state.

Python · illustrative misuse 
# BUGGY: key vault endpoint trusts client-supplied user_id without ownership check
@app.route('/api/v1/keys', methods=['GET'])
def list_api_keys():
    body = request.get_json()
    uid  = body['user_id']          # attacker-controlled — NO ownership filter
    keys = db.query(
        "SELECT * FROM api_keys WHERE user_id = ?",
        [uid]
    )
    return jsonify(keys)

# curl -X POST https://bitsgap.com/api/v1/keys \
#   -H "Authorization: Bearer $ATTACKER_JWT" \
#   -d '{"user_id": "victim-uuid-here"}'
# → returns victim's exchange keys with withdrawal permissions
Gating reminder: Missing kill chain granularity or lacking demonstrable exploitation success bumps the intake into "needs rework" — no payout until solved.
09 — FAQ

Frequently asked questions

What constitutes a "critical" finding on Bitsgap?
Any vulnerability that leads to funds theft (unauthorized withdrawal, trade reroute, API key exfiltration), database access (SQL/NoSQL injection, backup exposure, direct data dump), admin access (privilege escalation, panel bypass, admin session hijack), or equivalent full system compromise. Must be demonstrated with a working exploitation chain.
Can I test on live production accounts?
Yes, but with proportional restraint. Preferred approach: create a secondary test account on Bitsgap with sandbox exchange API keys (Binance testnet, Coinbase sandbox) and demonstrate exploits against your own test resources first. Production account testing that causes harm to other users violates the safe harbor.
How do I handle API keys discovered during testing?
Never commit, share, or store discovered API keys. Document their exposure in your chain write-up, rotate them if they are your own test keys, and include the exposure evidence in your encrypted submission. Exposing third-party keys invalidates the safe harbor.
Does database access include read-only queries?
Yes. Read-only database access that yields user PII, exchange API keys, billing records, or internal configuration data qualifies as a critical under the database access category. Write access that modifies or deletes data escalates the finding further.
What about race conditions in trading bot execution?
Race conditions in the bot engine that enable trade misdirection, duplicate order placement, or fund lockup are in scope if exploitable. TOCTOU on balance checks, webhook ordering, or bot state transitions — demonstrate with a replayable concurrent script.
Does the program cover the exchange integration bridges?
Yes — the bridges Bitsgap maintains to connect to Binance, Coinbase, Kraken, Bybit, OKX, and other exchanges are in scope. A vulnerability that intercepts, replays, or modifies signed API requests between Bitsgap and an integrated exchange qualifies for the critical bounty.