Thank you for all that you do

On behalf of over 3 million ZebPay users, we would like to express our heartfelt gratitude to all those listed in our Hall of Fame for their efforts in keeping the platform secure. We look forward to your continued participation in our Bug Bounty Program.

Zebpay’s Hall of Fame 2020

DateBounty WinnersIssue StatusBountyPointsTwitter Profiles
April 2022Gia Bui DaiFixed$1000
Mar 2019Venkata Sateesh NettiFixed$300240
Mar 2020MelarDevFixed$250240
April 2022YAMIN SHAIKHFixed$250
Mar 2019Tarikul IslamFixed$100180
Aug 2019Monika BabariyaFixed$100180
Mar 2019Sajid AliFixed$50120
Sep 2019Simgamsetti ManikantaFixed$50120
Nov 2019Arjun SinghFixed$50120
Apr 2020Priyanka BamneFixedSwag120
Apr 2020Jagadeesh GFixedSwag120
May 2020Abhijeet JainFixedSwag120
Mar 2019Sameer PhadFixedHoF60
Feb 2020AnabelleFixedHoF60

How to report the bug?
  • Send it to
  • Points to consider :
    (Please use English when submitting the report)
    (Add the POC attachments in a Google drive or Dropbox link)
    (Try to be as elaborate of the testing methodology in your report as possible)
What should be in your bug report?

The bug report should contain sufficient information pertaining to the bug description, testing methodology used and endpoints in the testing environment. This will help our internal security team to triage the bug faster. 

The following should be added to make it a qualifying bug report : 

  • * A clear description of the bug.
  • * The specific product version and environment in which the bug was found.
  • * Sample Code (if required).
What happens next?
  • A member of our staff will get back to you as soon as they receive your report.
  • Don’t be afraid to send the report again if you sent it by email and don’t hear back within a few days. This could mean that a spam filter has banned your email.
Which bugs qualify for a bounty?

Bugs must be original and previously unreported in order to qualify for the bounty. The researcher who submitted their report first will receive the bounty if two or more researchers submit the identical bug.

How long does the triaging take?

Every software bug is different and requires a different amount of time to triage and resolve, thus we can’t guarantee how long it will take to fix one. We always try to resolve problems as quickly as we can, and we’ll keep you informed every step of the way.

What types of bugs are we looking for?
  • If you have found a security issue that directly affects a cryptocurrency and/or its components (e.g. blockchain, node, wallet)
  • Vulnerabilities that can cause a loss of user’s funds/assets remotely.
  • Vulnerabilities that expose private keys or other sensitive data.
  • Vulnerabilities in chain-related implementations
  • Insecure cryptographic implementation for sensitive functions such as wallet generation, transaction signing etc.
  • Business logic issues
  • Payments manipulation
  • Remote code execution (RCE)
  • Database vulnerability, SQLi
  • File inclusions (Local & Remote)
  • Access Control Issues (IDOR, Privilege Escalation, etc)
  • Leakage of sensitive information
  • Server-Side Request Forgery (SSRF)
  • Other vulnerability with a clear potential loss
Ineligible issues (Will be closed as out of scope):
  • Theoretical vulnerabilities without actual proof of concept
  • Links to invalid/expired pages (Only valid if you can demonstrate an actual takeover of an official Zebpay social media account linked to on every page, not just specific past announcements/blog posts)
  • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
  • CSRF with negligible security impact (E.g. adding to favourites, adding to cart, subscribing to a non critical feature)
  • Assets that do not belong to Zebpay
  • Missing security headers that do not lead to direct exploitation
  • Exposure of internal IP address or domains
  • Internally known issues, duplicate issues, or issues which have already been made public
  • Vulnerabilities that require physical access to a user’s device
  • Issues that have no security impact (E.g. Failure to load a web page)
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Email verification deficiencies, expiration of password reset links, and password complexity policies
  • Reports from automated tools or scans
  • Vulnerabilities related to auto-fill web forms
  • Issues related to unsafe SSL/TLS cipher suites or protocol version
  • Lack of security flags in cookies
  • Any activity (like DoS/DDoS) that disrupts our services
  • Email or mobile enumeration (E.g. the ability to identify emails via password reset)
  • Vulnerabilities that require root/jailbreak
  • Self-XSS
  • Cache-control related issues
  • Installation Path Permissions
  • Use of known vulnerable libraries without actual proof of concept
  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
  • Content spoofing
  • Tab-nabbing
  • Disclosure of information that does not present a significant risk.
  • Clickjacking / UI redressing.
  • Issues that require unlikely user interaction.
Reward Guidelines

Our general payout ranges from $100-$1000 depending on the severity of the bug. The payout amount is decided by the Security team at Zebpay and the decision is final from the team.

Start Trading Now