Report a bug
Found something broken? We welcome the security and developer community to help us build a safer platform. Valid reports are rewarded.
You are welcome here
RutoWallet actively encourages the security and developer community to test our platform and APIs. Responsible disclosure helps us protect every user. Valid findings are rewarded.
What we welcome
Authentication flaws
Bypasses, token leaks, session fixation, or any weakness in our login and 2FA flows.
API vulnerabilities
Broken access control, rate limiting issues, injection flaws, or unintended data exposure in our APIs.
Authorization issues
Privilege escalation, IDOR, or any scenario where a user can access or modify another user's data.
Logic bugs
Business logic flaws that could allow manipulation of balances, transactions, or account states.
Data exposure
Sensitive user data, internal endpoints, or configuration details that should not be publicly accessible.
Frontend vulnerabilities
XSS, CSRF, clickjacking, or any client-side issue that could be exploited against our users.
Testing rules
We encourage open testing, but within clear boundaries. Please read these rules before you begin.
- ✓You may test on your own account and your own data only.
- ✓You may probe our public APIs and endpoints using your own credentials.
- ✓You may report theoretical vulnerabilities with a clear proof of concept.
- ✕Do not test on other users' accounts without their explicit consent.
- ✕Do not access, modify, or exfiltrate data belonging to other users.
- ✕Do not perform any action that could harm, delay, or disrupt another user's funds or access.
- ✕Do not attempt denial-of-service attacks or automated mass scanning.
Testing on other users' accounts or causing any harm to another user's funds is a serious violation and will result in immediate legal action, regardless of intent.
How to submit a report
Reproduce and document the issue
Confirm the bug is reproducible. Document the steps to reproduce, the expected behavior, and the actual behavior. Include screenshots, request/response logs, or a proof of concept where possible.
Send your report to our security team
Email your full report to our security team. Include your RutoWallet username if you have an account, the severity you believe the issue to be, and all supporting evidence.
security@rutowallet.comWe review and validate
Our team will review your submission, attempt to reproduce the issue, and assess its severity. We will follow up with you directly if we need more information.
Reward and recognition
Valid findings are rewarded based on severity and impact. Confirmed reporters are recognized in our Hall of Fame. We appreciate every responsible disclosure.
Hall of Fame
We publicly recognize researchers and community members who have helped make RutoWallet safer. Bug bounty hunters, responsible disclosers, and good deed actors all have a place in our Hall of Fame.
View Hall of Fame