Print Logo
You're using an older browser that we are unable to fully support. Your experience with our site may be less than optimal due to our focus on performance, security and reliability. Consider upgrading your browser if you have problems using our site. Learn More

Get Paid to Report Serious Bugs and Security Issues

Put your experience to work for cash or store credit, but most of all to make everyone's experience here better and more secure.


If you check out or submit forms, use Test as your first and last name. Keep order values on checkout tests below $100.

Responsible Disclosure

Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services.
Do not access or modify data that does not belong to you.
Do not make any information public until the issue has been resolved.

In order to encourage responsible disclosure, we will not bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

This is Eligible

We decide if the minimum severity threshold is met and whether it was previously reported.
Anything which has the potential for financial loss or data breach is of sufficient severity, including:

$US 2,000.00 - $US 3,500.00 Remote code execution / SQL injection
$US 800.00 - US$ 2,000.00 Authentication bypass or privilege escalation
$US 500.00 - US$ 800.00 Click Jacking
$US 500.00 Obtaining user information but not enumeration
$US 300.00 - US$ 500.00 XSS / CSRF
$US 50.00 - $US 300.00 Other at our discretion

Only the highest severity for a given issue is eligible

This is In Scope

Silver Gold Bull Android app (Latest version)

This is Out of Scope, Not Eligible

- /education
- CSRF on checkout page
- Rate limiting
- Vulnerabilities on assets hosted by third parties including, but not limited to, those with CNAME entries to third parties, such as:
• affiliates.silvergoldbull.*
• autodiscover.silvergoldbull.*
• faq.silvergoldbull.*
• ifaq.silvergoldbull.*
• ira.silvergoldbull.*
• loan.silvergoldbull.*
• rrsp.silvergoldbull.*
• rsp.silvergoldbull.*
• sell.silvergoldbull.*
• sip.silvergoldbull.*
• storage.silvergoldbull.*
• trade.silvergoldbull.*
(The above list is a representative sample and not an exclusive list of all Silver Gold Bull subdomains hosted by third parties.)
- Denial of service
- Spamming
- Previously reported or known to us
- Out of date software/plugins
- Best Practices (token expiry etc. - unless causing a critical vulnerability.)
- Enumeration
- Email Security (SPF/DMARC/DKIM/ARC etc. - unless causing a critical vulnerability.)
- Attacks requiring physical access to a user's device
- Password and account recovery policies, such as reset link expiration or password complexity
- Missing HTTP security headers which do not lead directly to a vulnerability
- Use of a known-vulnerable library (without evidence of exploitability)
- Issues related to software or protocols not under Silver Gold Bull control
- Reports from automated tools or scans
- Reports of spam
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering of Silver Gold Bull staff or contractors
- Any physical attempts against Silver Gold Bull property or data centers
- Cookie flags (secure/httponly etc.)
- TLS/SSL issues (weak ciphers etc.)

Automated Scanning

If you employ automated scanning tools, their requests must be rate limited to not exceed 5 requests per second.
Failure to do so may be considered a DoS attack and will result in disqualification.
Automated vulnerability scanners commonly have low priority issues and/or false positives.
Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable.

Submission Instructions

Send detailed steps on reproducing the bug to
Please include screenshots, links you clicked on, pages visited, etc.
Including a video proof-of-concept is preferred if the bug requires many steps to reproduce.
Keep focused on the technical details and provide precise explanations; stay clear of off-topic commentary.
Provide a concrete attack scenario. Show clearly how will this impact the company or our users.

Payment Terms

Payment for all eligible bug reports will be made via PayPal.
It is the responsibility of the researcher to have a PayPal account in order to receive the reward.
Payment instructions will be provided when the bug is confirmed eligible. The reward must be accepted within 90 days after the bug is confirmed eligible.

We will respond to reports according to severity.