Sign In Get Started

Responsible Disclosure & Bug Bounty

How to report security issues to VS Global FX

Last Updated: May 2026

1. Our Commitment

VS Global FX takes the security of our customers' funds and data seriously. We welcome security research conducted in good faith and commit to working transparently with researchers who find issues.

If you follow this policy when reporting an issue to us, we will:

  • Acknowledge your report within 48 hours.
  • Provide an initial triage decision within 5 business days.
  • Keep you informed of remediation progress.
  • Credit you publicly once the issue is fixed (if you wish).
  • Not pursue legal action against you for activity that complies with this policy.

2. How to Report

Email security@vsglobalfx.com with:

  • A clear description of the vulnerability and affected component.
  • Steps to reproduce, including request/response samples where relevant.
  • Your assessment of impact.
  • Any suggested remediation.

If you would prefer to encrypt your report, our PGP key fingerprint is published at https://vsglobalfx.com/.well-known/pgp-key.txt.

3. Scope

The following assets are in scope:

  • vsglobalfx.com and all subdomains we operate.
  • Our trading platform web application.
  • Our mobile applications (when published).
  • Our authentication, deposit, and withdrawal flows.

The following are out of scope:

  • Third-party services we integrate with (BscScan, TronGrid, Google OAuth, etc.) — please report to those vendors directly.
  • Denial-of-service attacks, volumetric or otherwise.
  • Social engineering of our staff or customers.
  • Physical attacks on our infrastructure.
  • Reports based purely on automated tool output without a demonstrated impact.
  • Findings that require root access, malware, or a compromised device on the user's side.

4. Rules of Engagement

To stay within the safe-harbour described in section 1, you must:

  • Use your own test account, or one we explicitly provision for you.
  • Never access, modify, or exfiltrate data belonging to other users.
  • Stop testing as soon as you have demonstrated a vulnerability — do not pivot or escalate.
  • Report the issue to us before disclosing it anywhere else, and give us a reasonable window to remediate (default 90 days, extendable by mutual agreement).
  • Avoid degrading service availability for real customers.

5. Severity & Rewards

We classify reports using a CVSS v3.1-derived ladder. Indicative reward bands (paid in USDT):

  • Critical (e.g. fund theft, account takeover without user interaction, full database read): up to USDT 5,000.
  • High (e.g. authenticated privilege escalation, withdrawal-flow bypasses, KYC circumvention): up to USDT 1,500.
  • Medium (e.g. stored XSS in authenticated areas, IDOR exposing limited data, business-logic bypass): up to USDT 500.
  • Low (e.g. reflected XSS, missing security headers with demonstrated impact): up to USDT 100.
  • Informational: hall-of-fame credit only.

Final severity is at our discretion based on real-world impact, exploit complexity, and whether we already had compensating controls. We pay only one reward per root cause, even if reproducible across multiple endpoints.

6. Disclosure

We commit to coordinated disclosure: once an issue is fixed, we will publish a brief advisory and, with your consent, name you as the reporter. We ask that you do not disclose details publicly until we have confirmed the fix is live.

7. Eligibility

You are not eligible for rewards if you are:

  • A current or former employee of VS Global FX or any of its affiliates.
  • A resident of, or located in, a jurisdiction subject to comprehensive sanctions by the United Nations, the European Union, the United Kingdom, or the United States Office of Foreign Assets Control.
  • Found to be acting in bad faith — for example, attempting extortion or threatening public disclosure to inflate the reward.

8. Contact

Security reports: security@vsglobalfx.com
General compliance: info@vsglobalfx.com