Get the Onramp Money app now >

Add Your Token Profile Buy Sell Swap Gift Cards

Bug Bounty Program

Help us keep Onramp.money secure. We reward security researchers who responsibly disclose vulnerabilities across our platform.

Report a Vulnerability

Guidelines

Rules of Engagement

Confidential Disclosure

Report findings exclusively to [email protected]. Do not disclose vulnerabilities publicly or on social media before they are resolved.

No Disruption

Do not perform actions that could degrade our services, destroy data, or violate the privacy of our users during your testing.

Resolution Timeline

We typically acknowledge reports within 2 business days and aim to resolve valid issues within 2 weeks. Please allow us reasonable time before any disclosure.

One Issue Per Report

Submit each vulnerability as a separate report with a clear description, reproduction steps, and proof-of-concept where possible.

Scope

What's In & Out of Scope

✓ In Scope

• onramp.money — main website and web application
• Android and iOS mobile applications
• Public-facing API endpoints

✗ Out of Scope

• Third-party services and integrations not operated by Onramp
• Subdomains or properties not directly affiliated with onramp.money

Qualifying Vulnerabilities

What We're Looking For

Cross-site Scripting (XSS)

Cross-site Request Forgery (CSRF)

SQL Injection

Server-Side Request Forgery (SSRF)

Remote Code Execution (RCE)

XML External Entity (XXE)

Access Control Flaws

Privilege Escalation

Payment Manipulation

Directory Traversal

Authentication Bypass

Sensitive Data Exposure

Exclusions

Non-Qualifying Issues

✗ Open redirects without demonstrated impact

✗ Outdated software version claims without working exploit

✗ Clickjacking on pages with no sensitive actions

✗ CSV injection

✗ Self-XSS (requires victim to paste code)

✗ Automated scanner output without manual analysis

✗ Denial-of-Service (DoS/DDoS) attacks

✗ Brute-force attacks without demonstrated bypass

✗ SSL/TLS scan reports (e.g. SSL Labs output)

✗ Recently disclosed 0-days (2-week grace period required)

Mobile-Specific Exclusions

✗ Absence of certificate pinning

✗ Clipboard data leaks

✗ Unencrypted local storage

✗ Lack of code obfuscation

✗ Hardcoded non-sensitive values

✗ Runtime manipulation on jailbroken/rooted devices

Submission Format

How to Report

Send your report to [email protected] with the following details:

1 Clear description of the vulnerability and its location
2 Step-by-step instructions to reproduce the issue
3 Proof-of-concept (screenshots, videos, or scripts)
4 Impact assessment and potential severity

Rewards

Bounty Tiers

Rewards are determined based on severity, impact, and quality of the report. All bounties are paid in cryptocurrency.

Critical

RCE, authentication bypass, payment manipulation, mass data exposure

High

Privilege escalation, stored XSS, SQL injection, SSRF with internal access

Medium

CSRF with impact, reflected XSS, information disclosure of sensitive data

Low

Minor information leaks, low-impact misconfigurations, non-sensitive data exposure

Found a vulnerability?

Reach out to us at [email protected] with your findings. We appreciate responsible disclosure and are committed to working with the security community.