Scope
The Request Finance bug bounty program currently targets security issues in the following scopes:
https://www.requestfinance.com
Request Finance mobile app
Domains themselves
It includes all the features that are live or in beta.
Reports rules (minimum bar for consideration)
Target + entry point
Exact and every steps to reproduce:
Reproduction steps are mandatory, must mimic a clear attacker/victim scenario and must be specific to our application or website.
Include as much detail as necessary without overflowing the report.
Show your work. Document your testing environment.
Provide multiple reproduction paths.
Working PoC (script / request / payload, read / write / execute / take over rights)
Screens and/or logs
Security impact specific to Request Finance implementation
If related to a CWE or CVE, provide its reference.
What will not be read nor paid:
If we can’t run immediately and reproduce in <10 minutes → it’s not ready yet.
❌ Scanner output (Burp/Nuclei/etc.) without exploitation.
❌ Generic vulnerability templates, “OWASP classification”, “Best practice” issues without exploit path.
❌ Any flaw or vulnerability that cannot get executed on existing hardware.
❌ Improvements based on taking control of a user session are not valid.
We care about what actually breaks in our system. If you can’t trigger it, it doesn’t exist.
AI /automation specific rules
You can use AI or not, we don’t care, but we’re not a training ground for AI tools.
You must validate everything manually
You must explain it in your own words: as a hunter, it is your responsibility to invest a few extra minutes into making your message digestible. The maintainers review submissions constantly, and clear writing reduces their daily burden and friction.
Only real endpoints, CVEs, payloads. Hallucination → trash, farming / automation abuse -> permanent ban.
Accounts that submit ≥10 invalid reports will be required to complete identity verification, confirming the account is owned and operated by an individual hacker before further submissions are permitted + may receive a 30-day suspension.
Accounts identified as engaging in submission farming will be permanently banned. Reinstatement will only be considered through a formal appeal process and will require identity verification, confirming the account is operated by an individual.
Rewards
First submission of an issue is the only one eligible for reward
Don’t disclose before the vulnerability has been formally made public.
The Request core development team, employees, and all other people paid by Request Finance or the Request Network Foundation, directly or indirectly, are not eligible for rewards. This includes former contractors for a time period a 1-year after the contractual relationship ended.
The Request bounty program considers a number of variables in determining eligibility, score, and all terms related to rewards.
They are at the sole and final discretion of the Request Finance bug bounty panel.
We take into account the efforts put to find and report the vulnerability, including efforts put at giving proofs and solutions.
Based on proved impact:
The value of rewards paid out will vary depending on severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood:
Reward sizes are guided by the rules below, but are ultimately determined at the sole discretion of the Request Foundation bug bounty panel. We also take into account the efforts put to find and report the vulnerability, including efforts put at giving proofs and solutions.
Critical: up to 20 000 €
High: up to 15 000 €
Medium: up to 10 000 €
Low: up to 2 000 €
Note: up to 500 €
Bounties may be paid in ETH or REQ.
Submission pipeline
By e-mail: [email protected].
Reports go through multiple automatic filters and only then human reviews.
The bug bounty program has no end date until communicated otherwise.

