Programs Middleman · Escrow HalalMM (halalmm.com)
Active Program $5,000 flat · validated critical Escrow · APIs · P2P · wallets · dispute · full mesh

HalalMM (halalmm.com) Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

HalalMM at https://halalmm.com/ operates as a middleman / escrow platform: P2P trade mediation, dispute resolution, deposit holds, release triggers, fee splitting, API-driven automation, webhook callbacks, chat and support surfaces, admin review consoles — the entire HalalMM-operated perimeter is in-scope with no artificial carve-out appendix. Every confirmed critical validated with a reproducible exploitation chain pays exactly $5,000 USD. Acceptance requires both a numbered attack chain narration and evidence that the exploitation actually succeeds (replayable scripts, tampered escrow state, unauthorized release traces, balance drift — prose alone collapses payouts).

BountyHunter Editorial
May 22, 2026 ·
#HalalMM #halalmm.com #Middleman #BugBounty
$5,000 per critical
Full scope no carve-outs
Chain + PoC kill chain · attack succeeds
01 — Overview

Escrow & mediation surfaces under stress

HalalMM concentrates P2P trade creation, deposit holds, release authorization, dispute arbitration, fee accounting, chat mediation, admin overrides, and API-driven automation hooks — fertile ground for escrow theft, unauthorized release, dispute manipulation, and balance misaccounting the moment concurrency or authz weakens. This playbook rewards only highest-impact, fully demonstrated criticals — each earns $5,000.

The platform positions itself as a trusted middleman for crypto P2P trades: buyers deposit, sellers ship, HalalMM holds then releases. This design concentrates all custody risk into the escrow lifecycle — deposit tagging, hold ledger, release triggers, dispute overrides, fee splits — every link in that chain is a bounty-relevant attack surface. In scope materially: every host under halalmm.com and sibling subdomains they light up for P2P trading, API integrations, WebSocket trade feeds, mobile deep links, chat mediation, admin review consoles, notification workers, hot wallet policies, dispute automation.
Civil exclusions only: theft-as-a-service against counterparties outside the bounty program, harassment, indiscriminate draining — society-level bans, not endpoint lists.
Always keep sandbox mirrors humane: avoid mainnet fund theft even if you can; prove impact on isolated fixtures when possible.

Minimum evidence bar — non-negotiable:
1️⃣ Kill chain from root cause → exploit steps → measurable loss or integrity break  2️⃣ Proof the attack succeeds (replayed APIs showing unauthorized release, balance drift, dispute outcome tamper). Narratives without replayable exploits stall below payout threshold.
02 — Why this matters

Why pressure-test HalalMM?

Flat $5K critical payouts

Validated critical exploits with reproducible payloads earn exactly $5,000 USD — no spreadsheet bingo.

Full-scope trust boundary

Every endpoint HalalMM operates or delegates to is in-scope — no surprise carve-outs after you find a bug in a "grey area" subdomain.

Real custody risk

HalalMM holds P2P escrow funds — a successful exploit means actual balance loss, not just fake points. Every vulnerability that lets funds escape or get misdirected is a clear critical.

03 — Reward

The critical reward benchmark

$5,000 USD per validated critical
  • Flat rate — no haggling over severity tags
  • Payable on kill chain + successful attack reproduction
  • Duplicate-first policies: first qualified PoC wins
  • Lower severities considered — critical bar is highest

A critical on HalalMM means escrow bypass, unauthorized release of held funds, dispute outcome manipulation with financial impact, mass balance disclosure, or persistent admin account takeover — anything that lets an attacker steal, freeze, or misdirect funds held in escrow, tamper with trade arbitration, or escalate privileges to the operator panel.

04 — Scope

What's in scope

Target Category Reward
halalmm.com, subdomains, web UI Web $5,000 / validated bug
P2P trade & escrow APIs · deposit/release endpoints Backend $5,000 / validated bug
Escrow hold ledger · release triggers · fee accounting Custody $5,000 / validated bug
Dispute arbitration · admin overrides Ops $5,000 / validated bug
Chat / mediation · notification workers Messaging $5,000 / validated bug
05 — Full Scope Policy

Everything HalalMM operates — no exclusions list

Sandbox escrow environments, canary wallet clusters, Grafana for dispute latency, Telegram/bot hooks for risk alerts, partner liquidity APIs fronted by HalalMM — all eligible when critical impact reproduces.

  • Vanity domains CNAME'd into HalalMM edge — show DNS/traffic proof in your write-up.
  • Escrow SDKs or bookmarklets HalalMM ships to traders
  • Colocated market-making containers they operate
  • Bridge or on-ramp callbacks verified with HalalMM-issued secrets
Legal floor (not bounty shrink): laundering, indiscriminate draining of unrelated liquidity venues, harassment — always off-limits even if endpoints tempt you.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing fund/state impact — not paper analysis alone.
  2. Number your hops. Session/API primitive → escalation → escrow hold or release integrity break.
  3. Minimize real-user blast radius. Prefer mirrors, low-value accounts, and reversible payloads when demonstrating theft-class bugs.
  4. Private coordination first. Use official intake on halalmm.com before public threads.
  5. Duplicate fairness. First qualifying PoC wins; followers get acknowledged-only.
07 — Submit

How to submit a report

Use the security / vulnerability disclosure contact published on https://halalmm.com/ (security@halalmm.com is a common guess — verify on the live site before emailing).

All reports must include:

  1. Summary and type of vulnerability
  2. Numbered kill chain from entry to impact
  3. Proof of successful exploitation (HAR, replayable cURL, screenshots with evidence)
  4. Suggested remediation or hardening approach (optional but appreciated)
Pro tip: wrap your PoC in a Dockerfile or a shell script so the review team can replay it on a sandbox mirror. Self-contained reproductions get priority triage.
08 — Example

Escrow release race vignette · pair with parallel request logs

Illustrative race on escrow release + dispute check — worthless without request captures showing unauthorized fund release on halalmm.com.

TypeScript — Escrow Release Handler 
// BUGGY: TOCTOU race — dispute check and release are not atomic
async function releaseEscrow(tradeId: string) {
  const trade = await db.getTrade(tradeId);
  if (trade.status !== 'held') throw new Error('invalid state');

  // Race window: attacker sends 20 parallel releaseEscrow() calls here
  const isDisputed = await db.hasActiveDispute(tradeId);
  if (isDisputed) throw new Error('disputed');

  await wallet.send(trade.buyerAddress, trade.amount); // each parallel call sends full amount
  await db.updateTrade(tradeId, { status: 'released' });
}
09 — FAQ

Frequently asked questions

Is the entire halalmm.com domain in scope?

Yes. Any host, subdomain, or service that HalalMM operates or delegates to is in scope. If a vanity domain CNAMEs to their infrastructure and you can prove HalalMM controls it, it qualifies.

What about third-party services HalalMM depends on?

Third-party SaaS (hosting, CDN, email, analytics) used as-is is generally out of scope unless you can demonstrate that the vulnerability propagates to HalalMM's trust boundary. If HalalMM routes traffic through a middleware they control, that middleware is in scope.

What qualifies as a critical?

Escrow bypass enabling unauthorized release of held funds, dispute outcome manipulation causing financial loss, mass balance/identity disclosure, persistent admin account takeover, or any chain that lets an attacker steal or freeze funds held in HalalMM's custody.

Do lower-severity findings earn anything?

Lower findings are still reviewed and may earn discretionary rewards based on impact. The published $5,000 benchmark is guaranteed for validated criticals meeting the evidence bar.

Is social engineering allowed?

No. Testing against HalalMM staff or counterparties via phishing, vishing, or impersonation is strictly prohibited. Technical endpoint testing only.

Ready to probe HalalMM's escrow surfaces?

Find a critical? $5,000 is waiting. Full-chain, replayable exploits only.

Start at halalmm.com