Vulnerability/Bug Bounty program

Bitcasino.io considers privacy and security to be core functions of our organization. Earning and keeping the trust of our customers is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.

We follow a set of well-defined and industry-standard disclosure terms and vulnerability rating taxonomies. To avoid confusion, We will rate all submissions using the Bugcrowd Vulnerability Rating Taxonomy.

Each submission will be evaluated by our security team on the basis of first-to-find. You will qualify for a reward if you were the first person to alert us of a previously unknown issue and the issue triggers us to make a code or configuration change to our platform. We do not have a minimum or maximum reward limit. Rewards will be given at our discretion, but we will pay significantly more for particularly serious issues.

Please keep in mind that this is a production environment. When performing your testing, we ask that you:

• Do not use vulnerabilities to access, modify, harm, or otherwise alter any data that does not belong to you.

• Do not exploit vulnerabilities except for purposes of demonstrating it to us.

• Do not conduct network level or Denial of Service testing or traffic flooding attacks against our systems.

• Do not conduct any tests that will impact the performance of the environment, such as aggressive scanning and/or aggressive scripting.

• Do not target our employees and customers. All employees and customers are out of scope and should not be targeted under any circumstances.

Please also note that the following findings are specifically excluded from the bounty:

• Findings identified through physical testing of office access (e.g. open doors, tailgating).

• Attacks conducted using social engineering (e.g. phishing, vishing).

• Functional, UI and UX bugs and spelling mistakes.

• Network level Denial of Service (DoS/DDoS) vulnerabilities.

• Descriptive error messages (e.g. Stack Traces, application or server errors).

• HTTP 404 codes/pages or other HTTP non-200 codes/pages.

• Fingerprinting / banner disclosure on common/public services.

• Disclosure of known public files or directories, (e.g. robots.txt).

• CSRF on forms that are available to anonymous users (e.g. the contact form) and the Login/Logout URL.

• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

• Lack of HTTPOnly cookie flags.

• Login Brute Force (unless the CAPTCHA can be bypassed)

• OPTIONS HTTP method enabled

• Missing X-Content-Type-Options Header

• Use of SHA-1 SSL Certificate and support for TLS 1.0

Submitting your Report

In your submission please include:

• Detailed steps to reproduce the vulnerability.

• Provide verifiable evidence the vulnerability exists such as a screenshot, a video or script. Verifiable evidence is required in order to receive recognition or an award. The evidence should include any and all URLs used to uncover the vulnerability. 

​Please submit your report to [email protected]. We will get back to you within 3-5 business days.