Introduction

Welcome to Hata’s Bug Bounty Program. We appreciate your interest in helping us improve the security of our systems. These terms and conditions (“Bug Bounty Terms”) govern your participation in our Bug Bounty Program. By participating, you agree to comply with these terms. These Bug Bounty Terms apply in addition to our standard Terms of Use (“Terms of Use”) to the extent applicable to your participation in our Bug Bounty Program. All terms and references used in these Bug Bounty Terms shall have the same meanings given to them in our Terms of Use and our Privacy Policy as updated from time to time (collectively, the “Hata Services Terms”).To participate, please click here and follow the instructions to complete the Google Form.

Eligibility

To participate in our Bug Bounty Program, you must:

  • Be at least 18 years old;
  • Not be prohibited by law, regulation, or treaty from participating in our Bug Bounty Program;
  • Not be a citizen or resident of a country or region that is subject to United Nations, Malaysian, U.S., or other sovereign countries’ sanctions or embargoes; and
  • Not be a current or former employee, contractor, or intern of Hata.

Exceptions with respect to a minor’s participation in our Bug Bounty Program may be considered on a case-by-case basis between Hata’s sole discretion and the applicable minor’s guardian(s).

Scope

The following systems are included in the scope of our Bug Bounty Program:

  • Our Hata mobile application (available via the Apple App Store or Google Play Store);
  • Our website (hata.io);
  • Our APIs (Application Programming Interfaces);
  • Core functionalities such as our Instant Buy/Sell, Exchange, wallet management, etc.; and
  • Security of users accounts (authentication and sessions management).

The following systems are expressly excluded from the Bug Bounty Program:

  • Our explore page (explore.hata.io)
  • Our support site (support.hata.io)
  • Any of Hata’s hosts, domain, or websites with demo, test, or dev in the URL.
  • Other third-party hosted assets not specifically categorized as 'In Scope'.

Reporting Vulnerabilities

To report a vulnerability, please fill in this Google Form by following the steps specified in the Google Form and submit the Google Form once completed. When reporting a vulnerability, please follow these general guidelines:

  • Provide a clear and concise description of the vulnerability;
  • Include steps to reproduce the issue; and
  • Do not disclose the vulnerability publicly until it has been resolved.

If we determine that the reported vulnerability has been publicly disclosed prior to our verification of your submission and resolution of the vulnerability, you may not be eligible to receive the applicable rewards under the Bug Bounty Program.

Standard Program Rules

Please read the below carefully for specific rules that will apply if you participate in the Bug Bounty Program:

  • Testing should only be performed on the systems listed in Section 3 (Scope) above. Any other systems will be outside the scope of this Bug Bounty Program and will not be eligible for rewards.
  • Please use your own Hata account for testing purposes. Please ensure that you redact sensitive information such as private keys and user data.
  • Submissions must be exclusively made through the Google Form to be considered for a reward.
  • Communication regarding submissions must remain within the Google Form and/or official Hata support channels for the duration of the program.
  • Actions or tools that affect the integrity or performance of the target systems are prohibited. If you are using automated tools during your testing and notice performance degradation of the target systems, you must immediately stop using such tools.
  • Submissions should have an impact to the target systems’ security - this means the reported issue should affect our users, systems, security, or data in a meaningful way. Participants may be asked to defend the impact of their submissions in order to qualify for a reward. When determining the severity of a reported issue, please refer to Hata’s Security Vulnerability Classification set out in the Appendix at the bottom of these Bug Bounty Terms.
  • Submissions may be closed if participants are not responsive to further information requests after 14 days.
  • In the event that we invite you to conduct further testing or research on a particular vulnerability that you have identified, you must not disclose your invitation to anyone other than a Hata employee via official Hata communication channels.
  • Participants should not share screenshots or videos of their proof-of-concept that was included in their submission. This includes uploading to any publicly accessible websites (i.e. YouTube, imgur, Reddit etc). If your file exceeds 100MB, please upload the file to a secure online service such as Vimeo and enable password-protection.

Excluded Submission Types

The following submission types are excluded because they are dangerous to access or because they have low security impact. The issues below will not be accepted, be immediately marked as invalid, and are not rewardable:

  • Findings from physical testing (e.g. open doors, tailgating).
  • Findings derived from social engineering (e.g. phishing).
  • Findings from applications or systems that are out of scope.
  • Functional, UI and UX bugs and spelling mistakes.
  • Network level DoS/DDoS vulnerabilities.

The following submission types generally have low security impact to us and do not trigger a code change. Hence, these also do not qualify for a reward. We strongly suggest that you do not report these issues unless you can demonstrate a chained attack with a higher security impact:

  • Non-Critical API Issues: Low-impact API endpoints that do not expose sensitive data or allow unauthorised actions.
  • Rate Limiting Issues: Minor rate limiting issues that do not lead to significant resource exhaustion or denial of service.
  • Error Messages and HTTP Codes: Descriptive error messages, HTTP 404 pages, and other common HTTP codes.
  • Public Information: Banner disclosures on public services and known public files or directories.
  • Clickjacking & CSRF Issues: Clickjacking vulnerabilities, CSRF on forms for anonymous users and logout CSRF.
  • Security Features: Issues like weak captchas, username enumeration via login or password reset errors, and lack of secure cookie flags or HTTP security headers.
  • SSL Vulnerabilities: SSL attacks (like BEAST or BREACH), insecure cipher suites, and missing forward secrecy.
  • Minor UI/UX Flaws: Suggestions for improving user experience that do not relate to security, such as colour contrast or button placements.
  • Miscellaneous: Presence of browser autocomplete features, lack of security prompts when leaving our site, and methods like OPTIONS/TRACE being enabled.

Safe Harbour

Participants who follow these Bug Bounty Terms will not be subject to legal action for their testing activities within the scope defined in these Bug Bounty Terms. However, this safe harbour does not apply if you:

  • Engage in any malicious activity; or
  • Access or modify data that does not belong to you; or
  • Disrupt our services and systems.

Rewards

You will qualify for a reward if you were the first eligible person to alert us to a previously unknown issue AND the issue triggers a code or configuration change. The amount of the reward may vary based on the severity and impact of the reported issue. The following guidelines apply to the reward process:

  • Reward form. Rewards will be allocated in USDT.
  • Payment method. Rewards will be transferred directly to the participant's Hata account only.
  • Severity assessment. Rewards will be determined based on the severity of the vulnerability as assessed by us. Higher severity vulnerabilities will generally receive higher rewards.
  • Duplicate submissions. In the event that multiple participants report the same vulnerability, we reserve the right to determine which participant will receive the reward. This decision will be based on the quality and clarity of the report, the level of detail provided in reproducing the vulnerability, and any additional insights or recommendations included in the submission.
  • Reward amount. The specific reward amount for each vulnerability will be at our sole discretion. Factors influencing this decision may include the uniqueness of the report, its impact on security, and overall contribution to improving our systems.
  • Notification. Participants whose reports are selected for rewards will be notified via email.

Confidentiality

“Confidential Information” refers to any information labeled as confidential when shared, or that a reasonable person would see as confidential based on the situation. This includes things like customer data, personal information, financial details, information about our systems, discussions about mergers or sales, pricing details, business information, payments to participants, and the terms of private security programs.Confidential Information does not include information that:

  • the receiving party learns from another source without confidentiality obligations;
  • becomes public knowledge without a breach of these terms; or
  • is developed independently by the receiving party.

You agree to:

  • keep all Confidential Information secret and not share it with anyone else unless you have written permission from us;
  • protect this information with at least the same care you use for your own confidential information, but no less than reasonable care;
  • use the Confidential Information only for the purposes allowed by us; and
  • notify us if you discover any loss or unauthorised sharing of Confidential Information.

All participants’ submissions are considered as our Confidential Information unless stated otherwise. This means that you cannot disclose any submissions publicly unless you have our permission to do so.

Ownership

You hereby agree and warrant that you will disclose all of your testing results found or identified by you (“Testing Results”) to us. You also give us the rights to your Testing Results. If there are any rights in your Testing Results that cannot be transferred to us, you agree to grant us a worldwide licence to use them however we want without compensation or credit to you. This means that we can make, sell, use, copy, and share your Testing Results and any changes that we make to them.You also agree to let us share your Testing Results publicly, which may include your user ID and other information we might need. We may ask for some personal information about you as well. By joining our Bug Bounty Program, you indicate your consent to the above.

Changes to Terms

We reserve the right to modify these Bug Bounty Terms at any time and will be notified to you via email.

Contact Information

For questions regarding the bug bounty program, please contact us at support.hata.io

Governing Law

These Bug Bounty Terms shall be governed and construed in accordance with the laws of Malaysia.

APPENDIX

Hata Security Vulnerability Classification

At Hata, security vulnerabilities are classified based on their potential impact on the organization, its operations, users, and reputation. This classification helps prioritize the remediation of vulnerabilities and allocate resources effectively. The following classification levels are used:

High (H)

Vulnerabilities classified as High have significant and immediate consequences for Hata’s systems and stakeholders. These include:

  • A critical system or service is non-functional or severely impaired.
  • One or more major departments are unable to operate.
  • A substantial number of employees or users are prevented from performing essential functions.
  • The issue affects a large portion of Hata’s customer base.
  • There is a high likelihood of significant financial loss or reputational damage to Hata.

Additional criteria may include risks such as public safety threats, potential loss of life, or major property damage, depending on the nature of the affected system.

Examples:

  • Unauthorized access to critical systems or funds.
  • Exploitable vulnerabilities in core trading or wallet systems.
  • Widespread data breaches exposing sensitive customer information.

Medium (M)

Medium-level vulnerabilities pose a moderate risk to Hata’s operations or users but do not result in critical system failures. These include:

  • Partial disruption to services, affecting some staff or customers.
  • Impacted services are important but not critical to business continuity.
  • Limited potential for financial loss or reputational harm.
  • No direct threats to life, public safety, or physical property.

Examples:

  • Vulnerabilities in non-core systems with limited user exposure.
  • Authentication issues that do not lead to immediate compromise.
  • Improper implementation of security headers.

Low (L)

Low-level vulnerabilities have minimal impact on Hata’s operations and users. These include:

  • Affected systems or services are non-critical.
  • Only a small number of users experience issues.
  • Little or no risk of financial loss or reputational damage.

Examples:

  • Minor UI bugs with no security implications.
  • Information disclosure vulnerabilities that require extensive effort to exploit.
  • Configuration issues in non-sensitive systems.

This classification framework allows Hata to prioritize the resolution of vulnerabilities effectively, ensuring the security and stability of its platform while maintaining trust with its users and stakeholders.