-
About Forex Factory / Bug Bounty Program
- Last Updated: February 2026
Bug Bounty Program
If you're a security researcher or believe you've found a vulnerability in one of our products, the Bug Bounty Program at Forex Factory allows you to submit vulnerability reports directly to us and receive a reward.
We believe responsible disclosure should be compensated fairly and encourage the security researcher community to hunt for, find, and report issues.
Scope
Reports can be submitted for endpoints that exist under the following domains:
- *.forexfactory.com
- *.cryptocraft.com
- *.energyexch.com
- *.metalsmine.com
The following aren't considered vulnerabilities and shouldn't be reported:
- Denial of service (i.e. overwhelming services with a high volume of requests)
- TLS configuration
- Email security configuration (e.g. SPF or DMARC)
- Host header injection
- Cookie security policies (e.g. Secure/HttpOnly flags)
- Weak password policy
- Session security / management policies (e.g. multiple sessions allowed)
- Email enumeration / brute-Force attacks
- Lack of email verification on account creation
- Insignificant requests lacking CSRF tokens
- Social engineering / phishing
- Cached information stored in clients
General Rules
- Using vulnerabilities to intentionally exploit users or damage products and services will disqualify you
- Only new vulnerabilities can qualify for rewards
- You must be the first to report a vulnerability to be qualified
- You may not disclose vulnerabilities publicly or to other 3rd parties before they are fixed
- You may not disclose communication with our internal team
Rewards
Rewards for vulnerabilities are determined based on several factors such as impact, risk, and severity. We use the following guidelines to help determine compensation:
- Critical: $5K–$10K (e.g. server-side attack, remote code execution with elevated privileges)
- High: $2.5K–$5K (e.g. server-side attack, remote code execution, SQL injection)
- Medium: $250–$1K (e.g. client-side attack, XSS exploit)
- Low: $100–$250 (e.g. client-side attack, minor XSS exploit)
After the reported vulnerabilities have been confirmed, we will review your submission to decide on the appropriate reward. We may elect to reward more at our discretion, such as in extreme circumstances or as a gesture of good faith.
Contact
Please report vulnerabilities using the contact form. Once our team has verified the vulnerability, we will reach out directly to confirm the issue and gather additional information if required.
Terms and Conditions
Fair Economy reserves the right to determine, at our sole discretion, whether reports submitted qualify for a reward payment and the value of that payment, and our determinations shall be final.
Fair Economy reserves the right to modify or cancel this program at any time.
You must abide by the Scope and General Rules outlined above to be eligible to receive a reward payment.
Any rewards not accepted within one year, or waived, shall become ineligible for payment.
Rewards may not be paid to anyone we cannot legally engage with. This includes, but is not limited to, anyone in a U.S. embargoed country, on the U.S. Treasury Department's list of Specially Designated Nationals, on the U.S. Department of Commerce Denied Persons List or Entity List, or on any other restricted party lists.
You're responsible for the payment of all applicable taxes and compliance with all applicable laws, regulations, or other restrictions, including those of the country or region in which you reside.
This program is void where it is prohibited or restricted.