SatsFaucetsatsfaucet

Bug Bounty
Program

Help us protect bitcoiners and improve SatsFaucet faster. If you find a real security issue or a serious earning-flow bug, send us a responsible report.

Up to

1,000,000

sats

per critical issue reported

Rules

  • Only test with accounts and wallets you own.
  • Do not steal funds, access private data, or modify another user's account.
  • Do not run destructive tests, spam, scraping, or denial-of-service attacks.
  • Stop testing and report immediately if you access sensitive data.
  • Give us reasonable time to investigate and fix before public disclosure.

In scope

  • Authentication, sessions, account security, and user access controls.
  • Balances, pending earnings, shards, store purchases, chests, boosts, and cashouts.
  • Offer, faucet, bounty, prediction, quest, affiliate, and membership reward flows.
  • API routes, webhooks, server-side validation, and sensitive data exposure.
  • Public web app vulnerabilities that can affect users or platform integrity.

Out of scope

  • Social engineering, phishing, spam, or physical attacks.
  • Denial-of-service, load testing, or attacks that degrade service for users.
  • Reports from automated scanners without a clear exploit or impact.
  • Issues in third-party services unless they create a concrete SatsFaucet impact.
  • Testing against accounts, wallets, or data that you do not own.

Rewards

Critical

Account takeover, unauthorized cashout, wallet/balance manipulation, remote code execution, or direct access to sensitive production data.

High

Privilege escalation, bypassing security restrictions, serious authentication/session bugs, or exploitable payment/earning logic flaws.

Medium

Stored XSS, meaningful data exposure, broken access controls with limited impact, or bugs that can affect user balances indirectly.

Low

Low-impact security issues, edge-case abuse paths, privacy leaks with limited scope, or useful hardening reports.

Reward amounts are decided by severity, exploitability, business impact, report quality, and whether the issue was already known. No minimum reward is guaranteed. Duplicate reports are generally rewarded to the first complete, reproducible submission.

Bounty contact email

bounty@satsfaucet.com

Please do not disclose vulnerabilities publicly before we have confirmed and fixed them.

What to include

  • Your contact email and preferred Lightning address for rewards.
  • A clear title and severity estimate.
  • Exact reproduction steps, affected URL/API route, and test account used.
  • Screenshots, videos, request/response samples, or proof-of-concept details.
  • The security impact and any limits you observed.

Need help?

SupportFAQ

About

Resources

Legal

SatsFaucet © is powered by Middle Entertainment LLC. All rights reserved.