NYYU Logo
Services

Bug Bounty Program

NYYU Bug Bounty Program on BugCrowd

Platform Program

Bug Bounty Program

Help us make NYYU more secure and earn rewards. Report security vulnerabilities through our BugCrowd program.

Security First

Help us maintain the highest security standards. All reports are reviewed by our security team.

Reward Structure

🔴
Extreme
$10,000
Critical vulnerabilities affecting platform integrity
🟠
Critical
$3-5K
High-impact security issues
🟡
High
$1-2K
Significant vulnerabilities
🟢
Medium
$200-400
Moderate security concerns
🔵
Low
$50-100
Minor issues and improvements

All accepted reports are paid in USDT. The threat level is determined by NYYU security staff.

Scope

In-Scope Targets

🌐
*.nyyu.io (Web)
All NYYU web properties
📱
NYYU Mobile App (Android & iOS)
Official mobile applications

Out-of-Scope Targets

cert.nyyu.io, Zendesk, SandBox
NYYU store, API docs, intro.nyyu.io
passport.nyyu.io, sandbox-*.nyyu.io

Priority Vulnerabilities

🌐
Web Module
  • Business logic issues affecting user assets
  • Payment manipulation vulnerabilities
  • Remote code execution (RCE)
  • Sensitive information leakage
  • Critical OWASP issues (XSS, CSRF, SQLi, SSRF, IDOR)
📱
Mobile Module
  • Functions accessing unsafe external links
  • Jsbridge/javascriptinterface vulnerabilities
  • Vulnerabilities causing potential user loss

Severity Levels

P0
Extreme - $10,000

Vulnerabilities affecting critical assets: access to hot/cold wallet assets, funds, or private keys.

P1
Critical - $3,000-5,000

Vulnerabilities compromising user or business funds, including direct system access or core business compromise.

P2
High - $1,000-2,000

Similar impact to P1 but with preconditions: unauthorized access, serious SQL injections, high-risk data leaks.

P3
Medium - $200-400

Issues affecting certain users, resulting in access and modification of user information.

P4
Low - $50-100

SMS spam, leakage of non-sensitive information, and minor security concerns.

Important Rules

  • No penetration testing that damages the platform or affects normal operations
  • No database modification or data destruction
  • No automated scanning tools
  • No testing on accounts other than your own
  • NYYU reserves the right to final interpretation
🛡️
Help Us Stay Secure

Submit your findings through BugCrowd when the program status changes to public

Submit Report

Affiliate Program

NYYU Affiliate Program details and commission structure

Corporate Information

Legal documents, policies, and corporate information for NYYU platform

On this page

Reward StructureScopeIn-Scope TargetsOut-of-Scope TargetsPriority VulnerabilitiesSeverity Levels