开始

Bug Bounty program

Found a vulnerability on our platform? Let us know.

About the program

Get rewarded for helping us improve our platform. Reports can cover security vulnerabilities in our services, infrastructure, and applications.

网站

TradingView.com及其子域名上的问题。

移动app

iOS和Android平台上的问题。

图表解决方案 

工具、插件或API中的错误。

电脑版

电脑版应用程序中的错误或性能问题。

Reward levels

Your reward depends on the type of vulnerability reported and its overall security impact.

  • Remote code execution (RCE) or administrator access
  • High-impact injection vulnerabilities
  • Unrestricted access to local files or databases
  • Authentication bypass allowing modification of user data or access to private data
  • Subdomain takeover
  • Logical flaws causing financial impact e.g., obtaining a subscription for free
  • Cross-site scripting (XSS), excluding self-XSS
  • Cross-site request forgery (CSRF)
  • User reputation manipulation
  • Low-impact injection vulnerabilities
  • Bypassing user restrictions

Reward amounts can vary. The actual reward may change depending on the severity, genuineness, and exploitation possibilities of bugs, as well as the environment and other factors that affect security.

博客等辅助服务的漏洞和“beta”、“staging”、“demo”等非生产环境的漏洞,只有在影响我们整体服务,或可能导致敏感用户数据泄露时才会奖励。

规则

  1. 漏洞报告应包括已发现漏洞的详细说明,以及重现漏洞需要执行的步骤或有效的漏洞验证。如果您未描述漏洞详细信息,则可能需要很长时间才能审核报告和/或可能导致拒绝您的报告。
  2. 每份报告请仅提交一个漏洞,除非您需要漏洞链来提供影响。
  3. 只有第一个报告未知漏洞的人将获得奖励。当出现重复时,我们只会奖赏可以完全重现漏洞的第一份报告。
  4. 您不应使用自动化工具和扫描程序来查找漏洞,因为此类报告将被忽略。
  5. You should not perform any attack that could damage our services or data including client data. If it's discovered that DDoS, spam, and brute force attacks have occurred rewards will not be given.
  6. 未经他们的明确同意,您不应让其他用户参与其中。在测试期间创建私密观点、脚本和其它内容。
  7. 您不应执行或尝试执行非技术攻击,例如社交工程(例如phishing, vishing, smishing),或对我们的员工、用户或一般基础架构的物理攻击。
  8. 请提供具有可重复步骤的详细报告。如果报告不够详细,无法重现问题,则该问题将没有资格获得奖励。
  9. 由一个潜在问题引起的多个漏洞将获得一份赏金。
  10. 请真诚地努力避免侵犯隐私、破坏数据以及中断或降低我们的服务。

超出范围漏洞

The following issues are considered out of scope.

  • Vulnerabilities in users' software or vulnerabilities that require full access to user's software, account/s, email, phone etc
  • Vulnerabilities or leaks in third-party services
  • Vulnerabilities or old versions of third party software/protocols, missed protection as well as a deviation from best practices that don't create a security threat
  • Vulnerabilities with no substantial security impact or exploitation possibility
  • Vulnerabilities that require the user to perform unusual actions
  • Disclosure of public or non-sensitive information
  • Homograph attacks
  • Vulnerabilities that require rooted, jailbroken or modified devices and applications
  • Any activity that could lead to the disruption of our service

There are several examples of such vulnerabilities that are not rewarded.

  • EXIF geolocation data not stripped
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions, logout CSRF
  • Weak ciphers or TLS configuration without a working Proof of Concept
  • Content spoofing or injection issues without showing an attack vector
  • Rate limiting or brute force issues on non-authentication endpoints
  • Missing HttpOnly or Secure flags on cookies
  • Software version disclosure. Banner identification issues. Descriptive error messages or headers (e.g. stack traces, application or server errors)
  • Public zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
  • Tabnabbing
  • User existence. User, email or phone number enumeration
  • Lack of password complexity restrictions