Bug Bounty Rules

Bug Bounty Rules

Jun 21, 2023

Jun 21, 2023

The Atom Finance Bug Bounty Programs Rules ("Rules") cover your participation in the Atom Bug Bounty Program (the "Bug Program"). These Terms are between you and Atom, Finance Inc. ("Atom," "us" or "we"). By submitting any vulnerabilities to Atom or otherwise participating in the Program in any manner, you accept these Rules.

Eligibility Requirements

To be eligible for the Bug Program, you must not:

  • Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);

  • Be in violation of any national, state, or local law or regulation;

  • Be employed by Atom or its subsidiaries;

  • Be a former Atom employee or contractor;

  • Be an immediate family member of a person employed by Atom or its subsidiaries or affiliates; or

  • Be less than 18 years of age. 

If Atom discovers that you do not meet any of the criteria above, Atom will remove you from the Bug Program and disqualify you from receiving any bounty payments. Any submissions you make to Atom shall be considered “Submission(s)” for purposes of these Rules.

Bug Submission Requirements and Guidelines

You may not publicly disclose your findings or the contents of your Submission in any way without Atom’s prior written approval.

Failure to follow these guidelines will result in immediate disqualification from the Bug Program and ineligibility for receiving any bounty payments.

For all submissions, please include ( as applicable):

  • Full description of the vulnerability being reported including the exploitability and impact

  • Document all steps required to reproduce the exploit of the vulnerability

  • Provide all (as applicable):

    • URL(s)/application(s) affected in the submission (even if you provided us a code snippet\video as well)

    • IPs that were used while testing

    • Commands that were used while testing

    • Always include the user ID that is used for the point of contact

    • Always include all of the files that you attempted to uploaded

    • Provide the complete point of contact for your submission (e.g. For RCE’s do not change files, upload only “hello world” test files, etc.)

    • Please save all relevant logs and attach them to the submission.

Atom reserves the right to ask for additional information to further evaluate the Submission. Failure to include any of the above items may delay or jeopardize the bounty payment.

Ownership of Submissions

As between Atom and you, as a condition of participation in the Bug Program, you hereby grant Atom, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Atom in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us.

You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to Atom. In no event shall Atom be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as Atom complies with the terms of participation stated herein.

Bug Payouts

Atom retains the right to determine if the Submission is eligible for a bounty. All determinations as to the amount of a bounty made by the Bug Program term are final. Further, aside from the Requirements and Guidelines set forth in these Rules, your Submission may not be eligible if Atom is already aware or has received a prior Submission making Atom aware of the same or similar vulnerability, issues, or matter related to the Bug Program.

Bug Payments are tied to severity for responsible and clear disclosure. The following describes our bug status severity tiers:

Level | Estimated Reward

Critical | $1,000+
High | $500
Medium | $250
Low | $50-$100

Upon Submission, Atom, in its sole discretion, will review and determine the applicable severity tier. In the event Atom elects to pay you a bounty, Atom may make a partial payment when the vulnerability is first verified by Atom and then an additional payment once the vulnerability has been fixed. The format, and timing of all bounty payments shall be determined in Atom’s sole discretion. 


In the event (i) you breach the Rules; or (ii) Atom determines, in its sole discretion that your continued participation in the Bug Program could adversely impact Atom (including, but not limited to, presenting any threat to Atom’s systems, security, finances and/or reputation) Atom may immediately terminate your participation in the Bug Program and disqualify you from receiving any bounty payments. 


Any information you receive or collect about Atom or any Atom user through the Bug Program (“Confidential Information”) must be kept confidential in accordance to these Rules and only used in connection with the Bug Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Atom sites, without Atom’s prior written consent. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY PAYOUTS PAID FOR YOUR SUBMISSION AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.


In addition to any indemnification obligations you may have under the Rules, you agree to defend, indemnify and hold Atom, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of Atom, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of the Agreement and/or your improper use of the Bug Program.

Changes to Program Terms

The Bug Program, including its policies, is subject to change or cancellation by Atom at any time, without notice. As such, Atom may amend these Rules and/or its policies at any time. By continuing to participate in the Bug Program after Atom notifies you of any such changes, you accept the Rules, as modified.


If you have any questions, please contact Atom at [email protected]