Bug Bounty

To show its appreciation for external contributions, Deribit maintains a Bug Bounty Program of rewards for security vulnerabilities. Please note, Deribit continuously pushes out new code. In the event you don't find anything today, there may be something present tomorrow. This is a great opportunity for Deribit and the researcher community to work together to find vulnerabilities!


Responsible Disclosure Policy

You disclose responsibly if you:

      Give us a reasonable time before disclosing the vulnerability

      Make a good faith effort to not interrupt or degrade our service

      Do not defraud or harm Deribit or its users during your research

      If you do your best to follow these guidelines in discovering and disclosing a vulnerability, we won’t take any legal action against you. We will do our best to respond to your submission as quickly as possible, keep you updated on the fix, and award a bounty where appropriate.


Bounty Rules

Adhere to the Responsible Disclosure Policy above

      Do not attempt to gain access to another user’s account or information (use your own test accounts)

      Report only original and previously undisclosed bugs

      Do not disclose a bug publicly before it has been fixed

      Do not use scanners or automated tools to find bugs

      Interacting with real customers is forbidden.

      Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure

      Do not attack the reliability or integrity of our services (e.g, no DDoS attacks, blackhat SEO techniques, spamming, or similar questionable acts)

      Employees of Deribit and its subsidiaries are ineligible.

      Residents in U.S. sanctioned countries (Cuba, Iran, Sudan, Syria, and North Korea) are ineligible

      If in doubt, please email us at support@deribit.com



Services in Scope

All merchant services provided by Deribit are eligible for our Bug Bounty Program, including services offered through www.deribit.com, all Deribit APIs, and our mobile app.


Qualifying Bugs

Any design or implementation issue that could result in substantial financial loss, data breach, or service degradation is within scope including, but not limited to:


Cross-site scripting (XSS)

Cross-site request forgery (CSRF/XSRF)

Mixed-content scripts

Authentication or authorization flaws

Server-side code execution bugs

Remote code execution

Accounting errors



Non-Qualifying Bugs

Depending on their impact, some disclosures may not qualify. Vulnerabilities in the following areas are examples of common exclusions:


      Software packages not produced by Deribit

      Domains hosted by third parties

      Deribit-branded services operated by third parties

      Deribit open source projects (see https://github.com/deribit )


Other Exclusions

      “Bugs” which are not bugs will not be awarded, like absence of explicit “security” flag on cookies because we use HTTP Strict-Transport-Security

      Bounties are awarded at the discretion of the Deribit Team

      Multiple bounties will not be awarded for variations or multiple instances of the same bug

      Duplicate entries will only be awarded to the first submission


How to Disclose

Disclose a vulnerability by sending an email with your bug report to support@deribit.com and send a copy to dev@deribit.comA bug report should include a description of the bug, reproduction instructions, and security impact (low, medium, high, critical). Deribit may award greater bounties for well done reports. All bounties are payable only in bitcoin.


Reward Guidelines

The following guidelines give you an idea of what we usually pay out for different classes of bugs - for all things not listed below, this program follows the Bugcrowd VRT (https://bugcrowd.com/vulnerability-rating-taxonomy ) for prioritising issues.

PriorityMinimum PayoutMaximum Payout