Clapp's Bug Bounty Program is LIVE!
Jul 12, 2025
Help us make Clapp the most secure crypto app out there! We’re inviting ethical hackers and security researchers worldwide to uncover vulnerabilities and keep our platform safe. Here's how to earn rewards for your skills.
Bug bounty scope
The following domain is in scope: *.clapp.finance
Non-intrusive submissions allowed
Feel free to submit vulnerabilities that do not require intrusive testing:
- Cross-Site Scripting (XSS)
- Open Redirect
- Cross-Site Request Forgery (CSRF)
- Improper Access Control
Bug Bounty Program rewards
We assess each report individually, depending on the type and impact of the flaws detected. Critical vulnerabilities will earn rewards at or above market rates, with payouts in crypto or fiat.
Strictly prohibited
- DDoS/DoS attacks
- Phishing or social engineering attacks against users
Out-of-scope vulnerabilities
(No rewards for these, but we still appreciate the heads-up!)
- SSL/TLS misconfigurations
- DDoS/DoS attacks
- Automated scanner reports without proof of impact
- Self-XSS (user-only impact)
- Missing security HTTP headers without demonstrated risk
- Session timeout/hijacking issues
- Outdated software without a working exploit
- Autocomplete attributes in forms
- Missing CSRF token in forms where sensitive data may not be modified (e.g. logout form)
- Window.opener issues
- Session hijacking and timeout
- Missing "secure", "SameSite," "HttpOnly" flags (non-sensitive cookies)
- Missing email security DNS records (SPF, DKIM, DMARC);
📩 How to submit?
Ready to hack (ethically)? Let’s make Clapp unbreakable! Send your findings to: [email protected]
Please note: We only accept private submissions.
