No technology is perfect, and Triple-A believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome you to work with us in resolving the issue promptly. Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.
Triple-A looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
Please contact us at security@triple-a.io.
The following domains and applications are within the scope of this program:
Out of scope of this program:
If a third-party application is hosted on a subdomain, it is eligible for our program. However, we only accept severe vulnerabilities that affect our users, service, or infrastructure. Other vulnerabilities will be reported or forwarded to the third-party vendor.
Please follow this report format when submitting vulnerabilities:
While researching, we’d like to ask you to refrain from:
In order to be eligible for a bounty, you must meet the following requirements:
Any vulnerabilities reported with the following criteria are not eligible for a bounty:
Tool outputs are not enough. Scanners and automation tools are common trade practice in the security community. They often produce many results for further investigation and can yield many false positives. Reports from automated tools or scans must include additional analysis to demonstrate the exploitability of the vulnerability to be eligible for bounty awards.
Category | Minimum | Up to |
Remote Code Execution (RCE) | $250 | $1500 |
Injection (SQLi or equivalent) | $200 | $1000 |
Local/Remote File Inclusion (LFI, RFI) | $200 | $1000 |
Account Takeover (depends on the complexity of user interaction) | $200 | $1000 |
Sensitive Data Disclosure or Manipulation (IDOR, memory leak, etc.) | $200 | $1000 |
Server Side Request Forgery (SSRF), non-blind | $200 | $1000 |
Server Side Request Forgery (SSRF), blind | $75 | $250 |
Corp Admin Stored Cross Site Scripting, blind | $75 | $250 |
Stored Cross Site Scripting | $50 | $200 |
Reflected/Other Cross Site Scripting | $50 | $150 |
Cross Site Request Forgery (CSRF) | $50 | $100 |
Self Cross Site Scripting | $50 | $100 |
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.
Triple-A will determine at its own discretion whether a reward should be granted and the amount of the reward. Depending on their impact, not all reported issues qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis.
You must comply with all applicable laws in connection with your participation in this program.
Thank you for helping keep Triple-A and our users safe!
Licensed as a Major Payment Institution (MPI) by MAS, the Monetary Authority of Singapore. License number PS20200525. FinCen Registration number 31000227954985.
Licensed as a Payment Institution by the ACPR and registered as a Digital Asset Service Provider by the AMF under the aegis of Banque de France. Payment institution LEI: 969500VA4A8CRCS2N988
DASP No. E2023-079
Triple A Technologies Inc. is registered with the US Financial Crimes Enforcement Network (FinCEN) as a Money Service Business (MSB), number 31000261257720. Money Transmitter License Application (NMLS ID: 2514255)