This document provides extended details on Crypto.com's HackerOne program policies. It serves as an official reference that complements our HackerOne page.
We only accept vulnerability reports where the root cause is within our control. Issues related to third-party vendors (cloud platforms, external assets) are out-of-scope unless specifically caused by our misconfigurations or lack of patching.
This is a Bug Bounty program, not a Risk or Threat Bounty program. All submissions must:
- Identify a specific, reproducible vulnerability
- Include a clear Proof-of-Concept (PoC)
- Be manually verified (not just scanner output)
Reports that fail to meet these criteria will be rejected. Unverified or non-reproducible reports from automated scanners will be marked as "Spam".
Please refer to this document for a complete list of out-of-scope vulnerabilities.
Our severity classifications are detailed in this document.
Crypto.com maintains sole discretion in determining:
- Whether a vulnerability qualifies for a reward
- The final reward amount based on severity assessment
This policy is non-negotiable and designed to ensure fair and consistent evaluation of all submissions.