ndax logo
bounty bug

Vulnerability Rewards Program (VRP)


Our team is continually looking for ways to improve upon our high security standards. Despite the greatest efforts, we acknowledge the possibility that our experts may have missed a bug in our system potentially exposing a threat to security. Should you find a vulnerability in our system, we invite you to contact us for compensation through our Vulnerability Rewards Program and recognition on our Wall of Fame.

Conscientious Examination and Disclosure

To be eligible for consideration in our VRP please consider the following:

  • Do not interfere with or violate the privacy of our clients, destroy data and/or interrupt our services;
  • While investigating the vulnerability, we ask you only target your own accounts, not those of our other clients;
  • Leave our physical security measures and do not attempt any spam, DDoS attacks or social engineering hacking; and
  • Disclose the vulnerability only to NDAX and not to a third party.

We kindly request you investigate and report bugs in a way that makes a reasonable, fair and good faith effort to not be disruptive or harmful to NDAX or our clients. Otherwise, your actions may be interpreted as an attack rather than an effort to be helpful.


Security issues that pose a substantial exposure to our site security or trading interface may be entitled for remuneration. All prizes are given at the discretion of NDAX’s management team. Some examples of eligible security issues may include:

  • Authentication Bypass;
  • Code Injection;
  • Cross Site Request Forgery;
  • Cross Site Scripting;
  • Leakage of Sensitive Data;
  • Privilege Escalation;
  • Remote Code Execution.


We do not reward the following:

  • Vulnerabilities previously known to NDAX, or previously reported by a third party (where there has been a prize awarded);
  • Vulnerabilities that have not been conscientiously examined and conveyed to NDAX;
  • CSP Headers, Content sniffing, X-Frame-Options, etc.
  • Vulnerabilities dependent on physical attack, social engineering, spamming, DDoS attack, etc;
  • Vulnerabilities affecting out-of-date, unpatched browsers, or any browsers not supported by NDAX;
  • Vulnerabilities on third party sites unless they lead to a vulnerability on NDAX’s main site;
  • Clickjacking on pages with no sensitive actions
  • Problems that are not replicable; and
  • Problems that we may not rationally be expected to do anything about.


We reward a minimum of $20 CAD in BTC for any eligible vulnerability. The more serious the vulnerability, the greater the prize. However, rewards remain subject to NDAX’s discretion.

How to Report a Vulnerability

  • Email your vulnerability report to [email protected] .
  • Please include as much information in your report as possible, including a description of the vulnerability, it’s potential impact, and steps for reproducing it or a proof of concept.
  • Should you wish, include your name and link as you would like it to appear on our Wall of Fame.
  • Include your BTC address for payment.
  • Please allow 2 business days for a response from NDAX.

Wall of Fame

Nobody has reported any vulnerabilities yet.