Bug Bounty Program

We take the privacy and security of our clients seriously and are always interested in finding security vulnerabilities so that we can address and fix them. If you find a bug, we encourage you to submit your findings, which may be rewarded as part of a bug bounty.

Your contribution not only protects our users but also makes you an important partner in the continuous improvement of our security standards.

Before submitting any potential findings, please review the following guidelines carefully.

Guidelines

1. Qualifying Submissions

We will consider bounty rewards for disclosures that meet all the following criteria:

  • Include a proof of concept demonstrating how the issue can be exploited.
  • Directly impact user data confidentiality, integrity, or availability.
  • Fall within our in-scope assets, as defined in Section 2.

2. Scope & Testing Rules

Scope

  • Testing is limited to the services operated by 21bitcoin, including the mobile application and websites. We especially encourage you to test our mobile app since it is our core product.
  • Only use accounts that belong to you personally for testing purposes.
  • Other users must not be harmed or affected by your tests.

Prohibited Testing Methods

The following methods are not permitted (this list is non-exhaustive):

  • Brute-force attacks
  • Clickjacking or UI redressing
  • Phishing or social engineering attacks
  • Denial-of-Service (DoS) or resource exhaustion
  • Automated vulnerability scans without explicit permission
  • Physical intrusion or tampering with infrastructure

If your report falls into one of these categories, it will likely not be eligible for a reward.

3. Non-Rewardable Reports

We do not reward submissions that involve:

  • General best-practice feedback, such as missing security headers or outdated libraries.
  • Any issues listed in Google’s list of non-qualifying reports.
  • Vulnerabilities discovered solely through automated tools without manual verification.

4. Responsible Disclosure & Industry Standards

To ensure a smooth and effective disclosure process, please adhere to the following best practices and industry standards:

4.1 Safe Harbor

  • We grant you permission to test in-scope assets in good faith. No legal action will be taken against you for legitimate vulnerability research conducted according to these rules.

4.2 Reporting Requirements

  • Provide clear, reproducible steps and include any scripts or payloads used. This should either be captured as a screen recording (.mp4) or in the description of the vulnerability.
  • Assign a severity rating (e.g., Common Vulnerability Scoring System v3 – CVSSv3) to help us prioritize your submission.
  • Specify the environment (production, staging, mobile app, API endpoints) where the issue was observed.

4.3 Disclosure Timeline

  • We strive to acknowledge your report within 72 hours and to resolve or remediate critical issues within 30 days of verification.
  • Please allow up to 60 days before public disclosure, or longer if necessary for complex fixes.

4.4 Communication & Follow-Up

  • Use our dedicated disclosure channel by completing the submission form below.
  • Notify us immediately if additional information becomes available or if you discover related issues at security@fior.digital

4.5 Data Protection & Privacy

  • Do not exfiltrate real user data. If you inadvertently access sensitive information, stop testing and report it immediately.
  • Any PII encountered must be treated confidentially and deleted from your records once verified.

Important: Any actions that restrict or harm 21bitcoin or its users are not permitted.

How to report a bug

Fill out the form below to report an error: