Bug Bounty | 3Commas

This Bug Bounty is effective as of 2nd of December, 2022.

Firstly, thank you for your interest in our Bug Bounty program and helping us to make our platform stronger and safer. Even with the best efforts of our expert team and making every effort to squash bugs in our systems, there's always the chance that we might have missed one that poses a significant threat.

If you discover a bug, we welcome your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible.

1. Responsible Investigation and Reporting

Responsible investigation and reporting include, but isn't limited to, the following:

  • Don't violate the privacy of other users, destroy data, disrupt 3Commas services, etc.
  • Only target your own accounts in the process of investigating the bug. Don't target, attempt to access, or otherwise disrupt the accounts of other users.
  • Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDoS) attacks, etc.
  • Initially report the bug only to us and not to anyone else.
  • Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
  • Don’t flood or spam us asking for a reward after providing the bug. Please wait until we contact you.

In general, please use good reason and judgment to investigate and report bugs in good faith in order to not be disruptive or harmful to our platform or our users. Otherwise, your actions might be interpreted as hostile rather than an effort to be helpful.

2. Eligibility

Generally speaking, any bug that poses a significant vulnerability, either to the security of our site and users, or the integrity of our trading system, could be eligible for reward.

Rewards are given entirely at our discretion to decide whether a bug is significant enough to be eligible, for example, please don’t automatically assume that any time you spend in advance trying to find bugs will be rewarded.

Security issues that typically would be eligible (though not necessarily in all cases) include:

  • Cross-Site Request Forgery (CSRF).
  • Cross-Site Scripting (XSS).
  • Code Injection.
  • Remote Code Execution.
  • Privilege Escalation.
  • Authentication Bypass.
  • Clickjacking.
  • Leakage of Sensitive Data.

3. Ineligibility

Things that are not eligible for reward include:

  • Vulnerabilities on sites hosted by third parties (https://help.3commas.io, etc) unless they lead to a vulnerability on the main website.
  • Vulnerabilities contingent on physical attack, social engineering, spamming, DDoS attack, etc.
  • Vulnerabilities affecting outdated or unpatched browsers.
  • Vulnerabilities in third-party applications that make use of a service API.
  • Bugs that have not been responsibly investigated and reported.
  • Bugs already known to us, or already reported by someone else (reward goes to first reporter).
  • Issues that aren't reproducible.
  • Issues that we can't reasonably be expected to do anything about.
  • Issue related to overloading specific endpoint with multiple requests, where problem root caused by heavy query.
  • Attempt to obfuscate vulnerability using different techniques (including DDoS, mixing requests, etc.) violates current Bounty Program reward option.


4.1. By participating in the 3Commas’ Bug Bounty Program, you represent and warrant that you:

4.1.1. have not been included in any trade embargos or economic sanctions lists, including but not limited to:

(a) Restrictive measures of the European Union;

(b) Sanctions of the United Nations;

(c) Sanctions of the Government of Estonia;

(d) the list of specially designated nationals maintained by Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury;

(e) the denied persons or entity list of the U.S. Department of Commerce;

(f) Lists of subjects to Financial Sanctions maintained by the UK Office of Financial Sanctions Implementation (OFSI),

4.1.2. your participation, use and access of 3Commas services does not violate or circumvent international sanctions and restrictive measures established by the European Union, United Nations, United States of America, United Kingdom or other international sanctions applicable in the Republic of Estonia, and

4.1.3. are not from any of the following comprehensively sanctioned countries or geographical regions (this list is subject to change from time to time):

(a) Belarus

(b) Burma (Myanmar)

(c) Cote d’Ivoire

(d) Crimea (Region of Ukraine)

(e) Cuba

(f) Democratic Republic of the Congo

(g) Donetsk (Region of Ukraine)

(h) Iran

(i) Iraq

(j) Liberia (Former Regime of Charles Taylor)

(k) Libya

(l) Luhansk (Region of Ukraine)

(m) Nicaragua

(n) North Korea

(o) Russian Federation

(p) Sierra Leone

(q) Somalia

(r) Sudan

(s) Syria

(t) Venezuela

(u) Yemen

(v) Zimbabwe.

4.2. We reserve the right to choose markets and jurisdictions to conduct business, and may restrict or refuse, in our sole discretion, the provision of 3Commas services in certain countries or regions, including those not listed in Section 4.1.3.

4.3. If you become subject to international sanctions, you are obliged to immediately stop using our services and notify us.

4.4. Without prejudice to other grounds for such actions available to us, we have the right to terminate, suspend or restrict the provision of 3Commas’ services to you as well as to terminate these Terms of Use in case:

4.4.1. you become a subject of international sanctions,

4.4.2. providing services to you is considered a violation or circumvention of international sanctions,

4.4.3. you are according to our assessment related to a territory, area of activity, transaction or person subject to international sanctions, or

4.4.4. we apply our right referred to in Section 4.2

5. Reward

  • The reward for eligible bugs is the equivalent of 100 USDT (TRC20).
  • Only one reward per bug.

6. How to Report a Bug

  • Send your bug report to [email protected].
  • Try to include as much information in your report as you can, including a description of the bug, its potential impact, and steps for reproducing it or proof of concept, video of exploits are very useful.
  • Include your TRC20 USDT address for payment (payment transactions may take up to 30 days to be processed).
  • Please allow 10 business days for us to respond before sending another email.

Previous version before December 2, 2022.