How to report a security issue to Bybit?

Report security vulnerabilities on Bybit via HackerOne to ensure responsible disclosure, protect user assets, and potentially earn rewards up to $50,000.

Aug 11, 2025 at 01:22 pm

Understanding Security Vulnerability Reporting on Bybit

When users identify potential security vulnerabilities on Bybit’s platform, it is essential to report them through the correct channels to ensure prompt action and protection of user assets. Bybit takes security seriously and encourages white-hat researchers, developers, and users to disclose any discovered flaws responsibly. This process helps Bybit patch weaknesses before they can be exploited maliciously. The official method for reporting such issues is through Bybit’s bug bounty program hosted on a dedicated security platform.

The foundation of responsible disclosure is to avoid public exposure of the vulnerability. Publicly sharing details before a fix is deployed can put user funds and data at risk. Bybit supports coordinated vulnerability disclosure, meaning they work with reporters to validate, reproduce, and resolve the issue in a secure manner.

Accessing the Official Bug Bounty Program

Bybit partners with HackerOne, a well-known platform for bug bounty programs, to manage vulnerability reports. To begin the reporting process:

• Navigate to the official Bybit page on HackerOne: https://hackerone.com/bybit
• Sign up or log in to your HackerOne account
• Click on the “Submit a Report” button located on the Bybit program page
• Carefully read the program’s scope and rules before proceeding

The program clearly defines which assets are in scope, including specific domains like api.bybit.com, www.bybit.com, and wss.bybit.com. It also outlines out-of-scope items such as social engineering, DDoS attacks, and phishing campaigns, which are not eligible for rewards.

Ensure that your testing remains within the boundaries of the allowed methods. Unauthorized access to user data, denial-of-service testing, or automated scanning without permission is strictly prohibited and may result in disqualification.

Preparing a Detailed Vulnerability Report

A high-quality report increases the likelihood of quick validation and reward eligibility. When submitting a report, include the following components:

• Clear title summarizing the vulnerability (e.g., “Stored XSS in User Profile Section”)
• Detailed description explaining the nature of the flaw
• Step-by-step reproduction instructions so the security team can replicate the issue
• Supporting evidence such as screenshots, video recordings, or network logs
• Risk assessment outlining potential impact (e.g., account takeover, data leakage)
• Suggested remediation if known

For example, if you discover an insecure API endpoint that leaks user information, your report should include the exact endpoint URL, the HTTP method used, request and response samples (with sensitive data redacted), and the conditions under which the leak occurs.

Always use HTTPS when capturing traffic and avoid including real user credentials or private keys in your report. Tools like Burp Suite, Postman, or browser developer tools can assist in gathering technical details securely.

Submitting and Tracking Your Report

After preparing your report, submit it through the HackerOne portal:

• Select the appropriate severity level based on impact
• Attach all supporting files
• Submit the report and wait for a response

Once submitted, Bybit’s security team will acknowledge receipt within a defined timeframe, typically within five business days. You can monitor the status of your report directly in your HackerOne dashboard. Statuses may include “Triaged,” “In Progress,” “Resolved,” or “Duplicate.”

Engage professionally if the team requests additional information. Prompt responses help accelerate the resolution process. Avoid making follow-up inquiries more than once every 72 hours unless critical updates are expected.

If your report is valid and previously unknown, it may qualify for a monetary reward under Bybit’s bug bounty program. Rewards vary based on severity, ranging from $500 to $50,000 or more for critical vulnerabilities such as remote code execution or major authentication bypasses.

Confidentiality and Responsible Disclosure

By submitting a report, you agree to keep the details of the vulnerability confidential until Bybit has fully addressed it. This includes refraining from:

• Publicly discussing the issue on forums, social media, or blogs
• Demonstrating the exploit to third parties
• Exploiting the vulnerability beyond what is necessary for proof-of-concept

Bybit reserves the right to determine when a vulnerability is sufficiently mitigated and when disclosure can occur. In some cases, they may credit the reporter in their public security advisories, provided the researcher consents.

Violating confidentiality may result in disqualification from the bounty program and potential legal action, especially if malicious use or data exfiltration is detected. Ethical conduct is a core requirement for participation.

Alternative Reporting Methods for Non-Researchers

If you are not a security researcher but believe you’ve encountered a security concern—such as suspicious login activity, phishing attempts, or compromised account access—use Bybit’s customer support channels instead.

• Log in to your Bybit account
• Visit the Help Center at https://www.bybit.com/support/
• Open a ticket under the “Security” category
• Provide relevant details such as timestamps, IP addresses, and transaction IDs

For urgent cases, contact security@bybit.com directly. This email is monitored by the internal security team and should be used only for verified security incidents. Include “Security Issue” in the subject line and avoid sending sensitive data like passwords or 2FA codes via email.

Attach any relevant logs or screenshots to assist with investigation. Account-related threats such as unauthorized withdrawals or login attempts will be escalated immediately.

Frequently Asked Questions

Can I report a vulnerability without a HackerOne account?

No. All formal vulnerability reports must be submitted through the HackerOne platform where Bybit’s bug bounty program is hosted. Creating a free account is required to submit and track reports.

What types of vulnerabilities qualify for rewards?

Eligible issues include authentication bypass, insecure direct object references (IDOR), cross-site scripting (XSS), server-side request forgery (SSRF), and insecure API implementations. The severity and impact determine the reward amount.

Is testing allowed on all Bybit domains?

No. Only domains listed in the in-scope section of the HackerOne program are permitted for testing. Testing on third-party services or out-of-scope domains may lead to exclusion from the program.

Will I receive recognition for my report?

Bybit may publicly acknowledge your contribution in their security advisories if you opt-in during submission. Recognition typically includes your HackerOne username and the vulnerability title, with no personal details disclosed.