To show its appreciation for external contributions, Deribit maintains a Bug Bounty Program of rewards for security vulnerabilities. Please note, Deribit continuously pushes out new code. In the event you don't find anything today, there may be something present tomorrow. This is a great opportunity for Deribit and the researcher community to work together to find vulnerabilities!
Responsible Disclosure Policy
You disclose responsibly if you:
• Give us a reasonable time before disclosing the
vulnerability
• Make a good faith effort to not interrupt or
degrade our service
• Do not defraud or harm Deribit or its users
during your research
• If you do your best to follow these guidelines
in discovering and disclosing a vulnerability, we won’t take any legal action
against you. We will do our best to respond to your submission as quickly as
possible, keep you updated on the fix, and award a bounty where appropriate.
Bounty Rules
Adhere to the Responsible Disclosure Policy
above
• Do not attempt to gain access to another user’s
account or information (use your own test accounts)
• Report only original and previously undisclosed
bugs
• Do not disclose a bug publicly before it has
been fixed
• Do not use scanners or automated tools to find
bugs
• Interacting with real customers is forbidden.
• Do not attempt non-technical attacks such as
social engineering, phishing, or physical attacks against our employees, users,
or infrastructure
• Do not attack the reliability or integrity of
our services (e.g, no DDoS attacks, blackhat SEO techniques, spamming, or
similar questionable acts)
• Employees of Deribit and its subsidiaries are ineligible.
• Residents in U.S. sanctioned countries (Cuba, Iran, Sudan, Syria and North Korea) are ineligbible
• If in doubt, please email us at support@deribit.com
Services in Scope
Services provided on the following domains by Deribit are eligible for our Bug Bounty Program: www.deribit.com, all Deribit APIs in production, and our mobile app. Services provided on independent (sub)domains like test.deribit.com and docs.deribit.com are not included in the bounty program, though Deribit could give bounties at its sole discretion also for reports on subdomains.
Qualifying Bugs
Any design or implementation issue that
could result in substantial financial loss, data breach, or service degradation
is within scope including, but not limited to:
Cross-site scripting (XSS)
Cross-site request forgery (CSRF/XSRF)
Mixed-content scripts
Authentication or authorization flaws
Server-side code execution bugs
Remote code execution
Accounting errors
Clickjacking
Non-Qualifying Bugs
Depending on their impact, some disclosures
may not qualify. Vulnerabilities in the following areas are examples of common
exclusions:
• Software packages not produced by Deribit
• Domains hosted by third parties
• Deribit-branded services operated by third
parties
• Deribit open source projects (see https://github.com/deribit)
Other Exclusions
• “Bugs” which are not bugs will not be awarded,
like absence of explicit “security” flag on cookies because we use HTTP
Strict-Transport-Security
• Bounties are awarded at the discretion of the
Deribit Team
• Multiple bounties will not be awarded for
variations or multiple instances of the same bug
• Duplicate entries will only be awarded to the
first submission
How to Disclose
Disclose a vulnerability by sending an email with your bug report to support@deribit.com and send a copy to dev@deribit.com. A bug report should include a description of the bug, reproduction instructions, and security impact (low, medium, high, critical). Deribit may award greater bounties for well done reports. All bounties are payable only in bitcoin.
Reward Guidelines
The following guidelines give you an idea of what we usually pay out for different classes of bugs - for all things not listed below, this program follows the Bugcrowd VRT (https://bugcrowd.com/vulnerability-rating-taxonomy) for prioritizing issues.
| Priority | Minimum Payout | Maximum Payout |
| P1 | $1000 | $5000 |
| P2 | $800 | $1500 |
| P3 | $200 | $400 |
| P4 | $50 | $150 |
| P5 | $0 | $0 |