Why Tether?
How it works
News
Tether Gold
Transparency

Tether bug bounty rewards information page and guidelines

Hunt, report, and get rewarded!

Tether believes that establishing relationships with security researchers and nurturing security research is a vital part of our mission to protect our users and ship safer software.

In collaboration with the cybersecurity and hacker development community, Tether runs this bug bounty program ("Bug Bounty Program") to incentivise and reward the responsible disclosure of security vulnerabilities. Tether is always building and pushing out new code, so join our growing research community and help our developers to squash bugs with attractive rewards paid out to successful bugs discovered. On this Bounty Rewards Information Page and Guidelines, you can find the information you need to know relating to which products and services are in scope of the Bug Bounty Program, how to submit a Tether Bounty Report (defined below), and how to receive a reward for identifying a bug ("Bounty Reward"). All decisions in relation to the administration of the Bug Bounty Program are at Tether's sole and absolute discretion, including the distribution of Bounty Rewards.

This Tether Bug Bounty Rewards Information Page and Guidelines deals with the Tether.to website and Tether Tokens. Other Tether Bug Bounty Rewards Information Page and Guidelines may deal with other programs or businesses.

Responsible Disclosure Policy:

To ensure a quick fix, the disclosure as a user or organisation must work with the Tether security and development team in a confidential, timely and secure manner. Ensuring any vulnerabilities will be dealt with in the most secure manner, you must:

  • submit your report once you discover the bug, the fastest way to alert our team is via our form at the bottom of this page;

  • not share details of the bug in our customer support chat or publicly;

  • make every effort not to interrupt or degrade our products or services during your investigation;

  • not harm or defraud Tether systems, products, or our users during your investigation;

  • only target your own accounts during your research for vulnerabilities;

  • not violate the privacy of other users, destroy data, attempt to access or disrupt any other user accounts or data;

  • provide written authority from the owner to perform such tasks, if working on behalf of a client or organisation where more than one account is used;

  • ensure your Tether Bounty Report remains confidential and do not disclose information relating to your Tether Bounty Report publicly before it has been fixed;

  • not engage in activity or provide a Tether Bounty Report that is false or misleading;

  • not share any information relating to a vulnerability in Tether’s customer support group;

  • not attempt social engineering or phishing techniques on our users or Tether personnel; and

  • not engage in activity that is harmful to us, any of ours or our affiliates’ products, the Bug Bounty Program, or others, including to use software or perform attacks that could affect the stability of our platforms, such as DDOS attacks, spamming techniques or blackhat SEO.

If you violate this Responsible Disclosure Policy, you may be prohibited from participating in the Bug Bounty Program and any Tether Bounty Reports you have provided may be deemed to be ineligible for payments.

Bug Bounty Eligibility Requirements:

Please follow our Responsible Disclosure Policy above when working to discover security vulnerabilities and bugs. You may only participate in the Bug Bounty Program if ("Eligibility Requirements"):

  • you fully accept and adhere to our bug bounty terms governing the Bug Bounty Program, which applies to you and can be found here. (The Bug Bounty Terms should be read in conjunction with the Privacy Statement for the Bug Bounty Program.)

  • you are over 18 years old or the age of majority in the jurisdiction in which you reside;

  • if you are representing an entity, (a) such entity is duly organized and validly existing under the applicable laws of the jurisdiction of its organization; and (b) you, the individual signing such entity up for the Bug Bounty Program, are duly authorized by such entity to act on its behalf and participate in the Bug Bounty Program;

  • your participation in the Bug Bounty Program would not be in violation of any national, state, or local law or regulation applicable to you;

  • you are not a resident, government or government official of any of (each of the following, a "Prohibited Jurisdiction"): (a) a jurisdiction subject to a comprehensive embargo by the British Virgin Islands, El Salvador, the United States, or the United Nations, which comprise as of the date of these Terms, Iran, the Democratic People's Republic of Korea ("North Korea"), Cuba, Syria, Crimea (a region of Ukraine annexed by the Russian Federation), the self-proclaimed Donetsk People's Republic (a region of Ukraine), the self-proclaimed Luhansk People's Republic (a region of Ukraine), Kherson (a region of Ukraine) and Zaporizhzhia (a region of Ukraine), including any government or government official of those jurisdictions; or (b) a high risk jurisdiction subject to a call for action by the FATF to apply countermeasures or enhanced due diligence measures, which comprise as of the date of these Terms, Iran, Myanmar and North Korea;

  • you comply with the Responsible Disclosure Policy;

  • you comply with all due diligence requirements of Tether as applicable, including related to anti-money laundering and anti-terrorist financing, and successfully pass Tether’s Know Your Customer ("KYC") requirements, as applicable, according to standards and processes determined in the sole discretion of Tether;

  • you are not, and do not use any digital tokens address that is: (a) specifically listed in any Sanctions List (defined below); (b) directly or indirectly owned 50 percent or more by any person or group of persons in the aggregate, or a digital tokens wallet associated with such person or persons, referred to in any Sanctions List, or government or government official of any Prohibited Jurisdiction; or (c) otherwise sanctioned, restricted or penalized under applicable (1) financial sanctions, trade embargoes, export or import controls, anti-boycott, and restrictive trade measures enacted, administered, enforced, or penalized by any laws applicable to either Tether or you, or (2) anti-money laundering and counter-terrorist financing laws ("Sanctions List" means the "Specially Designated Nationals and Blocked Persons" ("SDN") List and the Non-SDN List, including the "Sectoral Sanctions Identifications List", published by OFAC; the Section 311 Special Measures for Jurisdictions, Financial Institutions, or International Transactions of Primary Money Laundering Concern published by FinCEN; and, any other foreign terrorist organization or other sanctioned, restricted, or debarred party list published by the FIA, or under Economic Sanctions, AML, or CTF Laws of or by governments of the United States, El Salvador the British Virgin Islands, the United Nations, or any other jurisdiction or government, as applicable to you, Tether, or the Bug Bounty Program, each as amended, supplemented, or substituted from time to time);

  • you have not falsified any due diligence, KYC or other application details provided to Tether;

  • you are not acting for the benefit of any person who does not meet the requirements set forth herein; and

  • you comply with any other eligibility and requirements set out herein

You can speak to our customer support team for any general inquiries on the Bug Bounty Eligibility Requirements.

Rewards Policy:

All Bounty Rewards are priced in $USD and paid in USDt or Bitcoin or any other digital token as determined in Tether's sole and absolute discretion. We will coordinate any applicable Bounty Rewards over email at the email address you submit to us in your Tether Bounty Report (defined below). In order to provide you with a Bounty Reward, we may ask for your name, contact information, proof of identity and payment information at the time you submit a Bug Bounty Report. Such information is necessary for us to process any Bounty Report and Bounty Reward. We will process this information in accordance with our Privacy Statement. We may share such information with Tether; in this case, Tether will process such information in accordance with the Privacy Statement for the Bug Bounty Program. Failure to provide us with this information or timely respond to our emails may mean you forfeit any right you may have had to a Bounty Reward.

We are happy to give you recognition for your collaboration but will respect your privacy if you prefer not to reveal your identity publicly. Tether may, at its sole discretion, honour your skills in a future “Hall of Fame,” should one be established, with any bugs appropriate for public disclosure.

Bug examples and their level of risk

We are primarily interested in issues that could lead to unauthorized access, data exposure, account takeover, loss of confidentiality, or loss of integrity of data.

Examples

  • Injection Attacks: Including Server-Side Code Execution (RCE) and SQL Injection (SQLi).

  • Broken Access Control: Authentication or authorization flaws, including Insecure Direct Object References (IDOR) and horizontal/vertical privilege escalation.

  • Cross-Site Scripting (XSS): All forms of XSS, excluding Self-XSS unless proven critical impact and a clear vector to affect other users.

  • Cross-Site Request Forgery (CSRF/XSRF): On sensitive state-changing actions.

  • Server-Side Request Forgery (SSRF): Vulnerabilities that allow unauthorized internal requests.

  • Infrastructure Health: SPF/DMARC misconfigurations that allow for unauthorized email spoofing.

  • Information Leakage: Detailed stack traces, internal path disclosure, or exposed metadata/sensitive debug info.

  • Encryption & Transport: Mixed-content scripts (loading insecure HTTP resources on HTTPS pages) and weak SSL/TLS configurations.

  • Subdomain Takeover: Identification of abandoned subdomains pointing to third-party services.

Non-qualifying bug examples

We generally do not provide Bounty Rewards for:

  • Third-Party Hosted Assets: Vulnerabilities on platforms managed by external providers (e.g., tether.recruitee.com, tether.statuspage.io).

  • Best Practice Reports: Missing security headers (e.g., HSTS) or general "best practice" suggestions that do not lead to a direct, verifiable exploit.

  • Automated Scanner Reports: Unverified outputs from automated security tools.

  • Theoretical Vulnerabilities: Reports detailing potential security flaws that lack a practical, reproducible exploit path or a tangible risk to the application’s security posture.

  • Low-Impact & Informational Findings: UI/UX glitches, missing non-critical security headers, or general best-practice deviations that do not result in a direct or verifiable security impact.

  • Rate Limiting & Resource Exhaustion: Complaints regarding rate-limiting thresholds or the absence of rate limits that do not include a demonstrated bypass or a significant impact on business logic.

  • Destructive Denial of Service (DoS): Any testing activity that intentionally or unintentionally degrades service availability, impacts system performance, or harms the user experience.

We may still elect to provide Bounty Rewards for borderline cases at our discretion. For example, if the report is unusually high quality or reveals meaningful risk.

How to Send a Tether Bounty Report:

If you find a security vulnerability that meets the above qualifications, please complete the form below (the "Tether Bounty Report"). The Tether Bounty Report must include a short description of the bug, and you must fully complete the form below. You must not share any sensitive data publicly. Each report must follow Tether's Responsible Disclosure Policy. You understand that you are not guaranteed compensation or credit for your Tether Bounty Report, though Tether may recognize your contribution at its discretion. You may be paid a Bounty Reward for your Tether Bounty Report as determined in our sole discretion. If we receive multiple Tether Bounty Reports for the same issue from different parties, the Bounty Reward will be granted to the first eligible Tether Bounty Report.

If you send an image or a video, please:

  • keep it short by showing only the necessary parts;

  • recording at a readable resolution;

  • make sure the language of the video is in English to help us quickly identify the problem; and

  • include a copy of the text in your message explaining what it relates to, if a large amount of text appears in your video.

Bounty Reward guidelines

The below table shows the indicative Bounty Reward range paid by bug priority class and risk. Upon successful verification of the bug discovered we shall advise on the reward amount to be paid out in our discretion. We will assess the bug priority class and risk associated with your reported bug using such criteria as we may determine from time to time in our discretion. We have no obligation to share details of the reasons for our determination or the criteria used.

RISK PRIORITY
MINIMUM BOUNTY REWARD
MAXIMUM BOUNTY REWARD
RP1$1,000$10,000+
RP2$800$1,500
RP3$200$400
RP4$50$150
RP5$10$50

Scope and targets

The products and services listed below are covered by the Bug Bounty Program.

Outside of scope:

This program is intended to expand and change over time. When products or services are added to the Bug Bounty Program, they will be added to the list above or to a different Tether Bug Bounty Rewards Information Page and Guideline. Please check back regularly to determine which products are in scope for the Bug Bounty Program.

The above products and services are eligible for bounties for Priority RP1-RP5 depending on the severity of the bug found. Any product or service outside of this list is currently out of scope for the Tether Bug Bounty program.

The scope of the Tether Bug Bounty program does not cover vulnerabilities within third party software including any third-party services integrated with the products and services which are listed above (Note: while third-party services are out of scope, the integrations to third-party services are in-scope). The scope of the Tether Bug Bounty also program does not cover social engineering activities, physical building security breaches, threats involving coercion or extortion and event security risks. If you are aware of illegal activities being planned you should make our team aware and contact your local authorities.

If you believe you have discovered a vulnerability that should be included in the Bug Bounty Program please complete our Tether Bounty Report below.

You must not make your findings public, you should notify the official team members you have found a vulnerability and we will advise how to provide more detailed information securely.

Tether retains ultimate discretion regarding providing Bounty Rewards, including potentially in respect of otherwise out of scope products, services or bugs. Any such Bug Bounty Rewards will be deemed to fall within the Bug Bounty Program.

Level of risk (Low to High)

5

Accepted formats: `jpg`, `jpeg`, `png`, `mp4`, `avi`, `mov`, `webm`, up to 20 MB

Driving the Future of Money

Tether supports and empowers growing ventures and innovation throughout the blockchain as a digital token built on multiple blockchains.

Copyright © 2013 - 2026 Tether Operations, S.A. de C.V. All rights reserved.
twitter mono
instagram mono
YouTube monochrome
telegram mono
linkedin mono
facebook mono
reddit mono