Tether Bug Bounty Rewards
Hunt, report, and get rewarded!
Tether believes that establishing relationships with security researchers and nurturing security research is a vital part of our mission to deliver the most advanced, security-enhanced, and trusted trading platform for digital tokens.
In collaboration with the cybersecurity and hacker development community, Tether runs this program to incentivise and reward the responsible disclosure of security vulnerabilities ("Responsible Disclosure"). Tether is always building and pushing out new code, so join our growing research community and help our developers to squash bugs with attractive rewards paid out to successful bugs discovered.
Responsible Disclosure Policy:
To ensure a quick fix, the disclosure as a user or organisation must work with the Tether security and development team in a timely and secure manner. Ensuring any vulnerabilities will be dealt with in the most secure manner, you must:
submit your report once you discover the bug, the fastest way to alert our team is via our form at the bottom of this page;
not share details of the bug in our customer support chat or publicly. If the matter is urgent you can advise the customer support team you have completed the bug report but do not disclose information and we will immediately alert our security team.
make every effort not to interrupt or degrade our service during your investigation.
not harm or defraud Tether systems or our users during your investigation.
only target your own accounts during your research for vulnerabilities. Please do not violate the privacy of other users, destroy data, attempt to access or disrupt any other user accounts.
provide written authority from the owner to perform such tasks, if working on behalf of a client or organisation where more than one account is used.
Work with us in good faith by following our responsible disclosure policy ensures no legal action will be taken against you by Tether.
Bug Bounty eligibility & rules:
Please follow our Responsible Disclosure Policy above when working to discover security vulnerabilities and bugs.
You must fully accept and adhere to our terms of service
You must not be a Prohibited Person, such as a citizen or resident of the United States of America, or acting for the benefit of a Prohibited Person
You must not disclose information relating to your discovery publicly before it has been fixed
You must not try to access or damage other users' Tether accounts. When completing the research, you must use your own Tether account
You must not attempt social engineering or phishing techniques on our users or Tether personnel
You must not use software or perform attacks that could affect the stability of our platforms, such as DDOS attacks, spamming techniques or blackhat SEO.
All decisions in relation to the administration of Bug Bounty program are at Tether's sole and absolute discretion, including the distribution of rewards
You can speak to our customer support team for any general inquiries on the Bug Bounty Eligibility & Rules.
Rewards Policy:
All bounties are priced in $USD and paid in USDt or Bitcoin or any other digital token as determined in Tether's sole and absolute discretion.
We are happy to give you recognition for your collaboration but will respect your privacy if you prefer not to reveal your identity publicly. Tether may, at its sole discretion, honour your skills in its upcoming Hall of Fame, with any bugs appropriate for public disclosure.
Bug examples and their level of risk
Any security flaw or bug that could result in either a loss of service, data breach or financial damages to our systems or users are within scope. We may also reward our community when notifying us in:
cross-site scripting (XSS, including Self-XSS)
cross-site request forgery (CSRF/XSRF)
mixed-content scripts
authentication or authorisation flaws
server-side code execution bugs
remote code execution
SPF/DMARC misconfiguration
stack traces or path disclosure
Non-qualifying bug examples
There must be an immediate threat to the Tether platform or our users that can be exploited and is not hypothetical. Examples of common exclusions are:
Vulnerabilities on sites hosted by third parties (https://tether.recruitee.com, https://tether.statuspage.io).
Tether-branded services operated by third parties
Tether open source projects: github.com
How to Send a Report:
If you find a security vulnerability that meets the above qualifications, please complete the form below. If you believe the bug is urgent you can also advise our customer support team via https://cs.tether.to. You must not share information in the customer support group. You can advise you have completed a report in the bug bounty program which will speed up our internal team's review of your submission.
The bug report must include a short description of the bug, and a fully completed Tether Bounty Report template. You must not share any sensitive data before you have made contact with an official representative at Tether.
If you send an image or a video, please:
keep it short by showing only the necessary parts.
recording at a readable resolution.
make sure the language of the video is in English to help us quickly identify the problem.
include a copy of the text in your message explaining what it relates to, if a large amount of text appears in your video.
Reward guidelines
The below table shows the indicative reward range paid by bug priority class and risk. Upon successful verification of the bug discovered we shall advise on the reward amount to be paid out.
RISK PRIORITY | MINIMUM PAYOUT | MAXIMUM PAYOUT |
|---|---|---|
| RP1 | $1,000 | $10,000+ |
| RP2 | $800 | $1,500 |
| RP3 | $200 | $400 |
| RP4 | $50 | $150 |
| RP5 | $10 | $50 |
Scope and targets
Tether Bug Bounty program includes any and all digital security vulnerabilities discovered within any of the iFinex Inc. iFinex Inc provides the operational services that support all the various business lines delivered by the companies in the group such as Tether, Unus Sed Leo, Tether Staking, Honey Framework.
The specific properties and domains covered in the Tether Bug Bounty are as follows:
tether.to
app.tether.to
Outside of scope:
tether.recruitee.com
tether.statuspage.io
cs.tether.com
The above digital tokens are eligible for bounties for Priority RP1-RP5 depending on the severity of the bug found. Any domain or product outside of this list is currently out of scope for the Tether Bug Bounty program.
The scope of the Tether Bug Bounty program does not include third party software such as social media accounts or services such as Bitrefill and ODEM or social engineering activities, physical building security breaches and event security risks. If you are aware of illegal activities being planned you should make our team aware and contact your local authorities.
If you believe you have discovered a vulnerability that should be included in the bounty program please complete our vulnerability report below.
You should not make your findings public, you should notify the official team members you have found a vulnerability and we will advise how to provide more detailed information securely.
Any services provided on other (sub)domains different to the above are not included in the bounty program. Tether could reward reports for non-qualifying services at its sole discretion.
Driving the Future of Money
Tether supports and empowers growing ventures and innovation throughout the blockchain as a digital token built on multiple blockchains.
