Founfloor · HackerOne · Web / API / Crypto

Crypto.com

Crypto exchange + wallet + card. Gold Standard. 100% response. $2M max — largest H1 fintech bounty. Our bridge + access-control + price-manipulation PoCs all translate.
$2M
max bounty
100%
response
P0
priority
🔴 P0⭐ GOLD STANDARDUNSCOPED
Attack Surface
Exchange Logic
Order manipulation, balance accounting errors, withdrawal logic. Our price-manipulation-001 PoC targets this class. Exchange APIs under race conditions are high-value.
Wallet / Custody
Key derivation errors, signature replay, custody transfer bypass. Our bridge-001 PoC maps to cross-custody asset movement. High severity if valid.
Auth & Access Control
Account takeover vectors, 2FA bypass, API key scope escalation, admin panel access. access-control-001 is a direct match.
Crypto Card
Physical + virtual card infrastructure. Spend limit bypass, card number enumeration, transaction reversal manipulation. Novel surface — no existing PoC.
PoC Matches
access-control-001 ✓ bridge-001 ✓ price-manipulation-001 ✓ api-auth (new) card-logic (new)
Sorry Loop
MAPPED
SCOPING
POC BUILD
POC CLEAN
CLO GATE
FILED
BOOM
3-Team Read
OG
$2M for a critical finding. Our DeFi PoC thinking translates — crypto exchange logic has the same accounting error classes as DeFi. The auth layer is where most H1 finds start.
RHONE
Gold Standard + 100% response = they pay fast when valid. This is the highest upside target on the entire H1 board. P0 means we scope this first.
RICK
Crypto.com has a huge attack surface. Don't try to cover it all — find the one narrow vector where our existing PoC logic maps cleanly. Exchange order logic is the entry point.
Next Action
Pull the scope from H1 program page. Map which assets are in-scope (exchange API, wallet, card, mobile apps). Then run access-control-001 pattern against their auth flow. 1 find here = the largest external sorry on the board.
Founfloor · HackerOne · Crypto / Telegram

Wallet on Telegram

In-app crypto wallet inside Telegram. Gold Standard. 100% response. $100K max. Telegram bot + TON blockchain. Novel attack surface — Telegram API + crypto intersection.
$100K
max bounty
100%
response
P0
priority
🔴 P0⭐ GOLD STANDARD
Attack Surface
Telegram Bot API
Bot token abuse, webhook manipulation, inline query injection. Telegram's bot API is the entry point — all wallet actions flow through it.
TON Blockchain Bridge
TON transaction signing errors, address validation bypass, memo/comment injection. Our bridge-001 PoC applies — TON bridge has different trust model than EVM.
Auth / Session
Telegram auth data verification, session token leakage, account linkage bypass. access-control-001 directly applies — auth is the primary H1 surface.
PoC Matches
access-control-001 ✓ bridge-001 ✓ telegram-bot-api (new) ton-tx-signing (new)
Sorry Loop
MAPPED
SCOPING
POC BUILD
POC CLEAN
CLO GATE
FILED
BOOM
3-Team Read
OG
Telegram bot API as a crypto wallet entry point is novel. The intersection of Telegram's auth model and TON's signing model creates gaps that neither system alone would have.
RHONE
We already have OpenClaw as a Telegram bot. We understand the bot API deeply — that's an edge most H1 hunters don't have. This is a floor advantage.
RICK
Check how the wallet verifies Telegram user identity for transactions. If the initData verification is weak, that's account takeover territory. That's a critical finding.
Next Action
Check Telegram initData verification in their bot. That's the auth surface we understand best. If they verify `hash` incorrectly, that's the finding.
Founfloor · HackerOne · Web / API / Fintech

Robinhood Markets

Stock + crypto trading. Gold Standard. 100% response. Up to $50K with ×2 bonus multiplier. Ends in 13 days — time-bounded window like Chainlink.
$50K
max + ×2
100%
response
P1
priority
🟡 P1⭐ GOLD STANDARD⚡ 13 DAYS
Attack Surface
Trading Logic
Order type confusion, fractional share accounting, options pricing errors. fee-calculation-001 and price-manipulation-001 apply — trading platforms have rich accounting surfaces.
Auth / Account
Account takeover via auth flow, 2FA bypass, linked bank account manipulation. access-control-001 is the primary PoC match. High severity = high reward.
Crypto Wallet
Robinhood has crypto custody. Withdrawal manipulation, address spoofing, network fee bypass. Bridge patterns apply to their crypto layer.
PoC Matches
access-control-001 ✓ fee-calculation-001 ✓ price-manipulation-001 ✓ order-logic (new)
Sorry Loop
MAPPED
SCOPING
POC BUILD
POC CLEAN
CLO GATE
FILED
BOOM
3-Team Read
OG
×2 bonus multiplier during the window = any critical finding pays double. This is a timed external sorry. 13 days is enough time to scope and build one clean PoC.
RHONE
Robinhood's fractional shares are a novel surface. Most traders don't own whole shares — fractional accounting is complex and under-audited. That's where the sorry likely lives.
RICK
Start with the auth flow. If account takeover exists, that's critical severity = $50K × 2 = $100K effective. Don't scatter — one clean auth finding beats ten medium ones.
Next Action · 13-Day Window
Pull scope. Focus on auth + fractional share accounting. CLO gate needed before filing. 13 days = scope this week, PoC next week, file before deadline.
Founfloor · HackerOne · Web / API / Payments

Stripe

Payment infrastructure — the pipes the internet runs on. $25K max. 93% response. fee-calculation and access-control PoCs are direct matches.
$25K
max bounty
93%
response
P1
priority
🟡 P1
Attack Surface
Payment Logic
Charge duplication, refund bypass, currency conversion errors, webhook replay. fee-calculation-001 maps directly. Stripe processes trillions — accounting bugs are critical.
API Auth
API key scope creep, restricted key bypass, OAuth token abuse. access-control-001 applies. Stripe has complex API key hierarchy — scope escalation is the target.
Webhook Security
Signature verification bypass, event replay attacks, SSRF via webhook URL. Novel surface — our SSRF patterns apply here. Webhook endpoints are often misconfigured.
PoC Matches
fee-calculation-001 ✓ access-control-001 ✓ webhook-replay (new) ssrf-001 (new)
Sorry Loop
MAPPED
SCOPING
POC BUILD
POC CLEAN
CLO GATE
FILED
BOOM
3-Team Read
OG
Stripe's webhook signature verification is the highest-signal surface. A bypass there = transaction fraud at scale. That's critical severity territory.
RHONE
Stripe is one of the most well-audited platforms. But they also have the most complex API surface. The edge cases in restricted API keys are under-hunted.
RICK
Currency conversion with floating point is a known bug class. If Stripe has rounding errors that compound across high-volume transactions, that's a P1 business logic finding.
Next Action
Test restricted API key scope boundaries. Create a restricted key, attempt to use it beyond its intended scope. If escalation is possible, that's access-control-001 on Stripe = $25K.
Founfloor · HackerOne · Web / API / Marketplace

Airbnb

Travel marketplace. $31K max with ×1.25 bonus. 100% response. Ends today — monitor for renewal. Business logic in marketplace payments is the primary surface.
$31K
max + ×1.25
100%
response
P1
priority
🟡 P1⚡ ENDS TODAY
3-Team Read
OG
Marketplace = host/guest payment splits, security deposits, dispute resolution. Business logic bugs here are high severity. fee-calculation-001 and access-control-001 both apply.
RHONE
Bonus ends today — check if the programme renews. If it does, queue for the next window. The ×1.25 bonus is meaningful on a $31K ceiling.
RICK
IDOR on reservation IDs is the classic Airbnb bug class. Can you access another user's booking data by iterating IDs? That's a P2 at minimum, P1 if PII exposed.
Next Action
Monitor for bonus window renewal. Meanwhile scope: IDOR on reservation IDs, payment split manipulation, host payout bypass. Queue as next H1 after Crypto.com and Robinhood.
Founfloor · HackerOne · Web / API / Marketplace

DoorDash

Food delivery marketplace. Gold Standard. 96% response. $12K max. IDOR on order IDs and payment bypass are the primary vectors.
$12K
max bounty
96%
response
P2
priority
🔵 P2⭐ GOLD STANDARD
3-Team Read
OG
Delivery marketplace = driver pay, customer refunds, restaurant settlements. All three have separate accounting surfaces. One miscalculation = fee-calculation-001 finding.
RHONE
Gold Standard + 96% response = quality programme. $12K is real money for a day's work. Queue after the big 3 (Crypto.com, Wallet TG, Robinhood).
RICK
Promo code stacking and refund abuse are the known bug classes here. Look for the less-hunted surface: driver earnings manipulation via order status manipulation.
Next Action
Queue at P2. Scope after Robinhood window closes. IDOR on order IDs + driver earnings API = primary targets.
Founfloor · HackerOne · Network / Web

NetScaler Public Program

Citrix network infrastructure. $10K max. 97% response. Infrastructure expertise = our edge. ADC / load balancer / gateway attack surface.
$10K
max bounty
97%
response
P2
priority
🔵 P2
3-Team Read
OG
NetScaler = ADC. Path traversal, auth bypass on management interface, header injection through load balancer. Our infrastructure background (CCNA-equivalent knowledge) is an edge.
RHONE
Citrix has had significant CVEs (NetScaler Bleed etc). Bug bounty = post-CVE surface. The fixes for known CVEs sometimes introduce new bugs in adjacent paths.
RICK
Management interface auth bypass is the target. If the ADC admin panel has a path that skips auth, that's critical. Check the NSIP management surface specifically.
Next Action
Queue at P2. Research recent CVE patches — look for partial fixes that leave adjacent surface open. Management interface auth is the primary target.
Founfloor · HackerOne · Web / API / Platform

X / xAI

X platform (x.com) + open-source recommendation algorithm. 99% response. $10K–$20K critical range. 19 assets in scope. $1.75M total paid since 2014. Top hunters: filedescriptor (4K rep).
$20K
critical max
99%
response
14h
avg first resp
P2
priority
🔵 P2⭐ GOLD STANDARD
⚠️ Scope Clarifications — Read Before Hunting
OUT OF SCOPE
Rate limit bypass on Grok/xAI APIs — explicitly excluded in program policy. Model behavior issues — report to safety@x.ai instead. CSRF without evidence, open redirects without higher risk, DoS.
IN SCOPE
19 assets on x.com. Auth bugs, IDOR on private data, stored XSS. Open-source recommendation algorithm (needs working PoC). API auth scope issues (not rate limiting).
Bounty Table (confirmed)
LOW
$250–$750 · avg $100 · 20% of reports
MEDIUM
$1,000–$3,000 · avg $1,417 · 40% of reports
HIGH
$5,000–$7,000 · avg $4,833 · 30% of reports
CRITICAL
$10,000–$20,000 · avg $15,000 · 10% of reports
Attack Surface
Account Takeover (Critical)
OAuth flow manipulation, session fixation, auth token leakage. access-control-001 applies. Critical severity = $10–20K avg $15K. This is the target.
IDOR on Private Data
Private tweets/DMs via ID enumeration, draft access, private list contents. H1 platform standard: unpredictable IDs still valid (AC:H). PII leak = Critical per platform standards.
Recommendation Algorithm
Open-source on GitHub. Algorithmic manipulation via crafted content, ranking injection. Needs working PoC. X's discretion on severity — document everything.
Stored XSS on x.com
Profile fields, bio injection, tweet rendering. Stored XSS = account takeover at scale = Critical. Most obvious surface but also most hunted.
PoC Matches
access-control-001 ✓ idor ✓ stored-xss (new) oauth-flow (new) rate-limit-grok ✗ OOS model-issues ✗ OOS
Program Stats
Total Paid
$1,754,355 since 2014 · avg $560/report · top range $2,940–$20,160
Activity (90 days)
839 reports received · $43,650 paid · last resolved 15 days ago
Response Speed
14h first response · 1d 8h triage · 1wk 2d to bounty · 99% efficiency
Competition
Top: filedescriptor (4K rep) · nismo (1K) · akhil-reni (915). Competitive but pays well and fast. 1,639 total resolved = mature program.
Sorry Loop
MAPPED
SCOPED
POC BUILD
POC CLEAN
CLO GATE
FILED
BOOM
3-Team Read
OG
The rate limit / Grok angle is dead — explicitly excluded. The real surface is x.com auth + IDOR. Account takeover at critical = $15K avg. That's the target. auth-bypass-001 is the PoC to build.
RHONE
$1.75M total paid since 2014. 839 reports in 90 days = high-volume active program. 99% response + 14h first response = fastest triage on the board. File a clean report, get fast feedback.
RICK
Recommendation algorithm is the novel angle — open source means we can actually read the code. If ranking can be manipulated via crafted interactions, that's a finding no one else is looking at because it requires understanding the algo.
Next Action
Pull the 19 in-scope assets from the scope tab. Map each asset. Then: (1) clone the recommendation algo repo and look for ranking manipulation vectors, (2) test OAuth flow for token leakage. Both require working PoC. Program has high bar but pays fast.
Founfloor · HackerOne · Crypto / Web

Coinhako

Crypto exchange — Southeast Asia. $5K max. 99% response. Smaller scope than Crypto.com but same attack surface class. Good for PoC testing.
$5K
max bounty
99%
response
P2
priority
🔵 P2
3-Team Read
OG
Smaller exchange = smaller team = more likely to have gaps. Same access-control + bridge PoC pattern as Crypto.com but lower competition. Good PoC proving ground.
RHONE
If we build a Crypto.com PoC, test the same pattern on Coinhako first. $5K validation run before the $2M submission. Floor standard: prove on small, file on big.
RICK
SEA exchanges often have localisation bugs — currency handling for SGD/MYR/THB with floating point. fee-calculation-001 in a multi-currency context.
Next Action
Use as PoC validation platform for Crypto.com patterns. Same attack surface, smaller target, lower risk for testing approach.
Founfloor · HackerOne · Fintech / Neobank

Banco Plata

Neobank — LATAM. Gold Standard. $5K max. 98% response. Banking API + mobile app. LATAM fintech = regulatory complexity = edge cases in payment flows.
$5K
max bounty
98%
response
P2
priority
🔵 P2⭐ GOLD STANDARD
3-Team Read
OG
Neobank API = banking-grade auth requirements. access-control-001 and fee-calculation-001 both apply. LATAM currency complexity adds edge cases in conversion and fee logic.
RHONE
Gold Standard + 98% = high quality program. Only 1 submission so far — essentially first to hunt here. That's a floor advantage.
RICK
New neobank = new codebase = less hardened. The first few months of a bounty program are the richest hunting period. Queue this soon.
Next Action
Queue at P2. Test LATAM currency conversion edge cases + standard banking auth flow. Low competition = high signal-to-noise.
Founfloor · HackerOne · Android / iOS / Web

OPPO

Mobile devices + ColorOS ecosystem. $11K max. Gold Standard. 100% response. Hardware + software attack surface. Mobile OS bugs are deep but high value.
$11K
max bounty
100%
response
P2
priority
🔵 P2⭐ GOLD STANDARD
3-Team Read
OG
ColorOS has pre-installed apps with elevated privileges. Privilege escalation via pre-installed apps = classic OEM bug class. access-control-001 in Android context.
RHONE
Mobile OEM programs are less hunted than web — most researchers prefer web. That's an edge if we have Android tooling. 100% response = they take it seriously.
RICK
Need Android testing device or emulator. If we don't have OPPO hardware, this requires setup time. Evaluate against the return — $11K max is solid but needs investment.
Next Action
Assess Android testing capability. If emulator is sufficient for the scope, queue at P2. If physical device required, hold until device available.
Founfloor · HackerOne · Web / Mobile / Gaming

Playtika

Mobile gaming — social casino. $10K with ×2 bonus. 100% response. Ends 9 days. Gaming economy bugs — virtual currency and in-app purchases.
$10K
max + ×2
100%
response
P3
priority
⚪ P3
3-Team Read
OG
Social casino = virtual currency economy. In-app purchase bypass, chip duplication, leaderboard manipulation. Lower severity class than fintech bugs generally.
RHONE
Ends in 9 days with ×2 bonus. If we have gaming expertise, P3 moves to P2. Otherwise, hold — the floor has higher-value targets queued.
RICK
Monitor only. Virtual currency bugs rarely reach critical severity. Unless there's a real-money payment bypass, the ceiling is low relative to our P0/P1 targets.
Next Action
Monitor. Revisit if P0/P1 targets are resolved before the 9-day window closes.
Founfloor · HackerOne · Fintech / Private

Syfe

Robo-advisor — Singapore fintech. Private program (invite only). $1K max. Gold Standard. 100% response. Small bounty but Gold Standard = quality signal.
$1K
max bounty
100%
response
P3
priority
⚪ P3⭐ GOLD STANDARD
3-Team Read
OG
Robo-advisor = automated portfolio management. Algorithm manipulation, portfolio rebalancing bypass, fee structure errors. fee-calculation-001 applies but ceiling is low.
RHONE
Private program = less competition. But $1K max means even critical findings pay minimally. Use as reputation builder — first valid H1 finding unlocks higher-tier invites.
RICK
If this is our first H1 submission, starting here is smart. $1K loss exposure is minimal. Use it to learn the H1 submission flow before filing against Crypto.com.
Next Action
Consider as first H1 submission to establish H1 track record. Low ceiling but Gold Standard + 100% response = clean first filing experience.
Founfloor · HackerOne · Web

ALSCO

Uniform + workwear services. $2K max. 100% response. Standard web app. Low priority but 100% response = reliable program.
$2K
max bounty
100%
response
P3
priority
⚪ P3
3-Team Read
OG
Standard B2B web app. IDOR on order/account IDs, auth bypass on customer portal. access-control-001 applies. Low ceiling but straightforward surface.
RHONE
$2K max for a business service company. This is a practice target, not a primary. 100% response means if we find something, it gets triaged.
RICK
Monitor only. Our P0-P2 targets have 10-100× the ceiling. No reason to spend time here until the higher-value programs are resolved.
Next Action
Monitor only. Queue at P3 — revisit after all P0/P1/P2 targets have been hunted.