Welcome to BITCHAT !!! Invite More Friends to Earn More Rewards
© 2026 BITCHAT
AboutContact UsPrivacy PolicyTerms of UseRefundBug Bounty

Bug Bounty Program

Bitchat values the security community. We invite responsible security researchers to help us identify vulnerabilities in our platform. Valid reports will be rewarded.

Reward Tiers

Severity Reward Response
Critical $100 – $2,000 worth of TRDC 24 hours
High $200 – $500 worth of TRDC 48 hours
Medium $50 – $200 worth of TRDC 5 days
Low $10 – $50 worth of TRDC 10 days
Info Recognition 30 days

All rewards are paid exclusively in TRDC tokens (BEP-20 on Binance Smart Chain).

In-Scope Sections

Authentication & Account Management CRITICAL

  • Registration, login, password reset, OAuth (Google, LinkedIn, Instagram)
  • Two-factor authentication, SMS verification, session management
  • Email/phone verification, account deletion

Messaging & Real-Time CRITICAL

  • Direct messages (1-to-1 chat, file sharing, message history)
  • Group chat, message reactions, typing indicators
  • Socket.io WebSocket connections

Payments & Financial CRITICAL

  • Wallet system (in-app balances, peer-to-peer transfers)
  • TRDC token (BEP-20 staking, rewards, tipping, post boosting)
  • Crypto deposits (BTC, BUSD, BEP-20 address generation & monitoring)
  • Withdrawals (TRDC on-chain, fiat bank wire)
  • Pro membership purchase, payment processors (Stripe, PayPal, Razorpay, Coinbase)
  • Marketplace orders & checkout

APIs CRITICAL

  • REST API v1 & v2 (user data, posts, search)
  • Mobile app API endpoints
  • Socket.io WebSocket (real-time chat, notifications, status)

Posts, Content & Feed HIGH

  • Post creation, editing, deletion, scheduling
  • Trading signal posts (BUY/SELL/LONG/SHORT/HOLD)
  • Token-gated posts (TRDC balance requirement)
  • News feed algorithm (For You, Trading, Following, Creators tabs)
  • Stories/status (24h auto-delete)
  • Reactions & comments

User Profiles & Settings HIGH

  • Profile management, avatar/cover upload
  • Account settings (email, notification, privacy)
  • Address management (PII), data export (GDPR)

Video & Audio Calling HIGH

  • P2P video and audio calls

Groups, Pages & Events MEDIUM

  • Group/page creation, management, admin roles, invitations
  • Events (create, RSVP, invitations)
  • Forums (threads, replies, moderation)
  • Blogs & articles (creation, comments)
  • Advertising (campaigns, targeting, analytics)

Social Features LOW

  • Follow/unfollow, blocking, suggestions, nearby users
  • Search (users, posts, pages, groups, products)
  • Notifications (push, email, in-app)

Out of Scope

Third-Party Services

  • Payment processors (Stripe, PayPal, Razorpay, Coinbase, etc.) — report to those vendors
  • Agora video/audio SDK, PancakeSwap smart contracts, BSC network
  • OneSignal, Twilio, CloudFlare, hosting panel

Excluded Attacks

  • Volumetric DDoS or resource exhaustion
  • Social engineering, phishing, physical access
  • Self-XSS (requiring victim to paste code into their own console)
  • Login/logout CSRF (no security impact)

Known Accepted Risks

  • Email/username enumeration via registration or password reset
  • Missing security headers on static assets
  • SSL/TLS configuration (managed by hosting provider)
  • Software version disclosure, autocomplete on non-password fields
  • Open redirects without chaining to auth bypass
  • Clickjacking on pages without state-changing actions

Testing Rules

  • Create your own test accounts — do NOT test on real users' accounts
  • Do NOT access, modify, or delete other users' data
  • Do NOT execute trades or interact with the live trading bot wallet
  • Do NOT attempt to withdraw TRDC or fiat from any wallet
  • Do NOT perform destructive database operations
  • Do NOT interact with the TRDC smart contract on BSC mainnet
  • Do NOT scan the server's network or other hosted services

How to Report

Email: security@bitchat.live

Subject format: [BUG BOUNTY] [SEVERITY] — Brief description

Required information:

  1. Affected section (from the scope table above)
  2. Step-by-step reproduction instructions
  3. Proof of concept (screenshots, video, or code)
  4. Impact assessment
  5. Suggested fix (optional but appreciated)

Rules

  • First reporter of a valid vulnerability receives the reward
  • Duplicate reports receive no reward
  • You must not publicly disclose the vulnerability before it is fixed
  • We aim to fix Critical issues within 24 hours, High within 1 week
  • Researchers who follow responsible disclosure will be credited on our Hall of Fame

Legal Notice: All rights reserved to release the rewards. This Bug Bounty Program is operated by Bitchat India OPC Pvt. Ltd., Gandhinagar, India (A Division of Tradex24 Corporation LTD., Louisville, USA).

The company reserves the right to modify, suspend, or terminate this program at any time without prior notice. Reward amounts are determined at the sole discretion of Bitchat India OPC Pvt. Ltd. based on the severity, impact, and quality of the submission.

Dispute Jurisdiction: Any disputes arising from this program shall be governed by and construed in accordance with the laws of the United States of America. The exclusive jurisdiction for any disputes shall be the courts located in Louisville, Kentucky, USA.

Program launched: March 2026 • 62 in-scope sections • 18 Critical, 14 High, 22 Medium, 8 Low