Bug Bounty Program


We ask that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing

  • Use the identified communication channels to report vulnerability information to us

  • Report vulnerabilities as soon as you discover it, but keep it confidential between yourself and Shakepay until we’ve resolve the issue

  • Provide us with at least 5-7 working days to investigate the issue and get back to you

Additionally, if you are the first to report the issue, and we make a code or configuration change based on the issue, we commit to:

Reward you with a bounty (up to a maximum of CAD $5000 paid out per month):

  • Up to CAD $4000 if you identified a vulnerability that presented a severe risk

  • Up to CAD $1000 if you identified a vulnerability that presented a moderate risk

  • Up to CAD $50 if you identified a vulnerability that presented a low risk

  • CAD $5 if there was in fact no vulnerability, but we still made a related code or configuration change nonetheless

Please note that the reward will be determined at our discretion depending on the impact of the vulnerability. Additionally, in the case where the same vulnerability is reported by multiple parties, the party that reported the issue first will be awarded the bounty.

Examples of vulnerabilities and the levels we assign them:

Severe risk:

  • Stored cross-site scripting (XSS) vulnerability

  • Remote code execution

  • File system access

  • Exfiltration of digital or fiat currency

Moderate risk:

  • Authentication flaw

  • Cross-Site Request Forgery (CSRF) on user data

  • Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)

  • Vulnerabilities when uploading documents

Low risk:

  • Self-XSS (XSS), a user performing XSS on themselves only

  • On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data

  • On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)


Payouts will be done in either Bitcoin or Interac e-transfer. Researcher will provide us with a Bitcoin address or email address for the payout within 7 days after we have resolved the issue.


Out of scope

  • Findings derived primarily from social engineering (e.g. phishing, etc)

  • Findings from applications or systems not listed in the ‘Scope’ section

  • Physical security

  • UI/UX bugs and spelling mistakes

  • Network level Denial of Service (DoS/DDoS) vulnerabilities

  • Spam or Social Engineering techniques, including SPF and DKIM issues

  • Security bugs in third-party applications or services

  • XSS Exploits that do not pose a security risk

  • https/ssl or server-info disclosure related issues

  • Brute Forces attacks

How to report a security vulnerability

  • Description of the location and potential impact of the vulnerability

  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)

  • Email us at bugbounty@shakepay.com - our PGP key fingerprint is DB65 6FC0 7112 0DCA 1083 5866 4BBF 2997 74E3 AFB2.

Crafting a Report

If our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:

  • Description of the vulnerability

  • Steps to reproduce the reported vulnerability

  • Proof of exploitability (e.g. screenshot, video)

  • Perceived impact to another user or the organization

  • Proposed CVSSv3 Vector & Score (without environmental and temporal modifiers)

  • List of URLs and affected parameters

  • Other vulnerable URLs, additional payloads, Proof-of-Concept code Browser, OS and/or app version used during testing

Note: Failure to adhere to these minimum requirements may result in the loss of a reward.

Fine print

We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.

Last updated