立即開始

Bug Bounty program

Found a vulnerability on our platform? Let us know.

About the program

Get rewarded for helping us improve our platform. Reports can cover security vulnerabilities in our services, infrastructure, and applications.

網站

TradingView.com及其子網域存在問題。

手機應用程式

iOS和Android平台上的問題。

圖表解決方案 

工具、插件或API中的錯誤。

電腦版

電腦版應用程式中的錯誤或效能問題。

Reward levels

Your reward depends on the type of vulnerability reported and its overall security impact.

  • Remote code execution (RCE) or administrator access
  • High-impact injection vulnerabilities
  • Unrestricted access to local files or databases
  • Authentication bypass allowing modification of user data or access to private data
  • Subdomain takeover
  • Logical flaws causing financial impact e.g., obtaining a subscription for free
  • Cross-site scripting (XSS), excluding self-XSS
  • Cross-site request forgery (CSRF)
  • User reputation manipulation
  • Low-impact injection vulnerabilities
  • Bypassing user restrictions

Reward amounts can vary. The actual reward may change depending on the severity, genuineness, and exploitation possibilities of bugs, as well as the environment and other factors that affect security.

部落格等輔助服務的漏洞和“beta”、“staging”、“demo”等非生產環境的漏洞,只有在影響我們整體服務,或可能導致敏感用戶數據洩露時才會獎勵。

規則

  1. 錯誤報告應包括已發現漏洞的詳細說明,以及為重現漏洞而需要採取的步驟或可執行的概念驗證。如果您未描述漏洞詳細訊息,則可能需要很長時間才能審核報告和/或可能導致拒絕您的報告。
  2. 一份報告僅提交一個漏洞,除非您需要連結漏洞以提供其影響。
  3. 只有第一個報告未知漏洞的人將獲得獎勵。當出現重複時,我們僅在漏洞可以完全重現的情況下授予第一次報告。
  4. 您不應使用自動化工具和掃描程式來查找漏洞,此類報告將被忽略。
  5. You should not perform any attack that could damage our services or data including client data. If it's discovered that DDoS, spam, and brute force attacks have occurred rewards will not be given.
  6. 未經他們的明確同意,您不應讓其他用戶參與其中。在測試期間建立私密想法、腳本和其他內容。
  7. 您不應執行或嘗試執行非技術攻擊,例如社交工程(例如phishing, vishing, smishing),或對我們的員工、用戶或一般基礎架構的物理攻擊。
  8. 請提供具有可重複步驟的詳細報告。如果報告不夠詳細,無法重現問題,則該問題將沒有資格獲得獎勵。
  9. 由一個潛在問題引起的多個漏洞將獲得一份賞金。
  10. 請善意努力避免侵犯隱私、破壞數據以及中斷或降低我們的服務。

超出範圍漏洞

The following issues are considered out of scope.

  • Vulnerabilities in users' software or vulnerabilities that require full access to user's software, account/s, email, phone etc
  • Vulnerabilities or leaks in third-party services
  • Vulnerabilities or old versions of third party software/protocols, missed protection as well as a deviation from best practices that don't create a security threat
  • Vulnerabilities with no substantial security impact or exploitation possibility
  • Vulnerabilities that require the user to perform unusual actions
  • Disclosure of public or non-sensitive information
  • Homograph attacks
  • Vulnerabilities that require rooted, jailbroken or modified devices and applications
  • Any activity that could lead to the disruption of our service

There are several examples of such vulnerabilities that are not rewarded.

  • EXIF geolocation data not stripped
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions, logout CSRF
  • Weak ciphers or TLS configuration without a working Proof of Concept
  • Content spoofing or injection issues without showing an attack vector
  • Rate limiting or brute force issues on non-authentication endpoints
  • Missing HttpOnly or Secure flags on cookies
  • Software version disclosure. Banner identification issues. Descriptive error messages or headers (e.g. stack traces, application or server errors)
  • Public zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
  • Tabnabbing
  • User existence. User, email or phone number enumeration
  • Lack of password complexity restrictions