Bug Bounty Program — NODITRA Exchange

Related Services

Bug Bounty Program

NODITRA welcomes responsible disclosure from the security research community. If you find a vulnerability, we want to know — and we'll reward you fairly for helping us protect our users.

Critical

Up to $50,000

RCE, authentication bypass, fund theft, full account takeover

High

Up to $10,000

Privilege escalation, SQL injection, significant data exposure

Medium

Up to $1,000

CSRF, stored XSS, IDOR, rate limit bypass

Low / Informational

NODITRA Swag

Best-practice deviations, verbose error messages, minor misconfigurations

* Reward amounts are determined at NODITRA's sole discretion based on CVSS score, exploitability, and business impact. Duplicate reports receive no reward. Payment in KRW equivalent or USDC by researcher preference.

Program Scope

✅ In Scope

noditra.com and app.noditra.com (all pages)
NODITRA REST API (api.noditra.com)
NODIT API platform (nodit.noditra.com)
NODITRA iOS and Android apps (official app store versions)
Smart contracts deployed by NODITRA (Ethereum mainnet only)
Authentication and session management flows
Trading engine and order book APIs
Withdrawal and deposit systems

❌ Out of Scope

Denial of service (DoS/DDoS) attacks
Social engineering (phishing of staff or users)
Physical attack vectors
Vulnerabilities on third-party services or infrastructure not controlled by NODITRA
Findings affecting only outdated browser versions (IE11 or older)
Automated scanner output without manual verification of exploitability
Self-XSS or CSRF requiring extremely unlikely user interaction
Rate limiting on low-sensitivity public endpoints

Submission Process

Discover & Document

Reproduce the vulnerability in a controlled manner. Do not access user data beyond what is necessary to prove the vulnerability exists. Document steps to reproduce, impact, and a proof-of-concept (PoC).

Submit by Email

Email [email protected] with subject line "[Bug Bounty] [Severity] — Short description." Include: description, PoC steps, screenshots or video, your preferred contact method, and payment preference.

Initial Triage

The security team (led by CSO Park Jae-hyun) will acknowledge your submission within 2 business days and classify the severity. We may ask follow-up questions.

Validation & Fix

NODITRA engineers reproduce and fix the vulnerability. This typically takes 7–30 days depending on complexity. We'll keep you updated on our progress.

Reward & Disclosure

Once patched, we process your reward payment and add you to our Hall of Fame (with your consent). We follow a 90-day coordinated disclosure timeline — you may publish after the fix is live.

Responsible Disclosure Rules

Do not exploit the vulnerability beyond what is necessary to demonstrate the bug
Do not access, modify, or delete data belonging to other users
Do not publicly disclose before NODITRA has issued a fix (90-day window)
Do not perform testing that could degrade service availability
Researchers who follow these rules will not face legal action from NODITRA

박

Park Jae-hyun (박재현) — CSO

Chief Security Officer · Age 42 · Ex-military cyber intelligence unit, white-hat hacker background

"Every exploit we patch is a user kept safe. We work with researchers, not against them."

[email protected]

Hall of Fame

Recognizing researchers who have responsibly disclosed verified vulnerabilities to NODITRA.

🥇

@0xkr4k3n

Critical — Withdrawal auth bypass
2024 Q4

🥈

Ren Hao

High — API key enumeration
2024 Q3

🥉

security_min

High — Stored XSS in admin panel
2025 Q1

🏅

Anonymous

Medium — CSRF in order form
2024 Q2

🏅

Priya R.

Medium — IDOR in trade history
2025 Q1

🏅

@ghost_bytes

Medium — Rate limit bypass on 2FA
2025 Q2

Found something?

Send your report to [email protected] — we respond within 2 business days.

Submit a Report