Bug Bounty

Responsible Disclosure Policy

Deribit is the leader cryptocurrency option exchange by volume and uses the latest available technology to offer microsecond response time. We value security and availability before all so that traders can focus fully on what matters the most to them, making money.

Our program is public on hackerone and can be directly accessed through this link: https://hackerone.com/deribit

As a part of our perpetual quest for improvement and security, we highly respect and value ethical hackers work. If you come across a vulnerability in one of our web or mobile application, you can report it to us using the below form. We take security very seriously and strive to provide lightning fast response time to any report. We will validate and fix vulnerabilities in accordance with our commitment to security. Researchers will be rewarded at Deribit discretion depending of the security impact and we will never take legal action against you as long as you show good faith in not impacting the platform or our customers.

The following guidelines give you an idea of what we usually pay out for different classes of bugs – for all things not listed below, this program follows the Bugcrowd VRT for prioritizing issues.

  • Tier 1: test.deribit.com, www.deribit.com, Android app, IOS app
  • Tier 2: All other subdomains of deribit.com except from office.deribit.com, veriscope.deribit.com and sygna.deribit.com
Technical severity Reward range
p1 — Critical Tier 1: $30,000 - $50,000 — Tier 2: $2,500 - $3000
p2 — Severe Tier 1: $5,000 - $10,000 — Tier 2: $750 - $1,500
p3 — Moderate Tier 1: $500 - $1000 — Tier 2: $250 - $425
p4 — Low Tier 1: $100 - $300 — Tier 2: $50 - $150