phone

Get the Onramp Money app now >
onramp.money

Bug Bounty Program

Help us keep Onramp.money secure. We reward security researchers who responsibly disclose vulnerabilities across our platform.

Report a Vulnerability

Guidelines

Rules of Engagement

Confidential Disclosure

Report findings exclusively to [email protected]. Do not disclose vulnerabilities publicly or on social media before they are resolved.

No Disruption

Do not perform actions that could degrade our services, destroy data, or violate the privacy of our users during your testing.

Resolution Timeline

We typically acknowledge reports within 2 business days and aim to resolve valid issues within 2 weeks. Please allow us reasonable time before any disclosure.

One Issue Per Report

Submit each vulnerability as a separate report with a clear description, reproduction steps, and proof-of-concept where possible.

Scope

What's In & Out of Scope

In Scope
  • onramp.money — main website and web application
  • Android and iOS mobile applications
  • Public-facing API endpoints
Out of Scope
  • Third-party services and integrations not operated by Onramp
  • Subdomains or properties not directly affiliated with onramp.money

Qualifying Vulnerabilities

What We're Looking For

Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
SQL Injection
Server-Side Request Forgery (SSRF)
Remote Code Execution (RCE)
XML External Entity (XXE)
Access Control Flaws
Privilege Escalation
Payment Manipulation
Directory Traversal
Authentication Bypass
Sensitive Data Exposure

Exclusions

Non-Qualifying Issues

Open redirects without demonstrated impact
Outdated software version claims without working exploit
Clickjacking on pages with no sensitive actions
CSV injection
Self-XSS (requires victim to paste code)
Automated scanner output without manual analysis
Denial-of-Service (DoS/DDoS) attacks
Brute-force attacks without demonstrated bypass
SSL/TLS scan reports (e.g. SSL Labs output)
Recently disclosed 0-days (2-week grace period required)

Mobile-Specific Exclusions

Absence of certificate pinning
Clipboard data leaks
Unencrypted local storage
Lack of code obfuscation
Hardcoded non-sensitive values
Runtime manipulation on jailbroken/rooted devices

Submission Format

How to Report

Send your report to [email protected] with the following details:

  • 1 Clear description of the vulnerability and its location
  • 2 Step-by-step instructions to reproduce the issue
  • 3 Proof-of-concept (screenshots, videos, or scripts)
  • 4 Impact assessment and potential severity

Rewards

Bounty Tiers

Rewards are determined based on severity, impact, and quality of the report. All bounties are paid in cryptocurrency.

Critical

RCE, authentication bypass, payment manipulation, mass data exposure

High

Privilege escalation, stored XSS, SQL injection, SSRF with internal access

Medium

CSRF with impact, reflected XSS, information disclosure of sensitive data

Low

Minor information leaks, low-impact misconfigurations, non-sensitive data exposure

Found a vulnerability?

Reach out to us at [email protected] with your findings. We appreciate responsible disclosure and are committed to working with the security community.

Buy with onramp
btc btceth ethusdt usdtusdc usdcbnb bnbxrp xrpmatic maticdoge dogetron tron
Company
About Us Careers Media Assets
Partnerships News & Updates Price Compare
Features Supported Tokens Experience
Help Documentation Support System Health Channel Verification Bug Bounty
twitter icon youtube icon linkedin icon telegram icon facebook icon paragraph icon
Play Store App Store

Onramp Money is a fast, secure crypto onramp/offramp that makes it easy to buy, sell, and swap crypto—and even purchase gift cards with crypto—right from a simple, user-friendly experience. Onramp supports 480+ tokens and 22 fiat currencies, helping users convert fiat to crypto (and back) using trusted local rails like UPI (India), SEPA (Europe), PIX (Brazil), and other local payment methods across 60+ countries.

Trade popular assets like BTC, ETH, USDT, USDC, BNB, XRP, MATIC, DOGE and TRX, and transact across major networks including Ethereum, Polygon, BSC, Solana, NEAR, Optimism, Arbitrum, and Tron (and more). With strong coverage in key markets such as India, Turkey, UAE, Mexico, Brazil, the European Union, the UK, and across Southeast Asia and Africa, Onramp is built for global access with local convenience.

For businesses and builders, Onramp offers flexible integration options—including widget, API, and SDK—to embed fiat-to-crypto onboarding directly inside wallets, dApps, NFT platforms, DEX experiences, and exchanges. Onramp is known for competitive pricing, with transparent rates, no hidden fees, and consistently low processing fees for most fiat currencies, sourcing liquidity across providers to help deliver better execution. Onramp is available on Android and iOS, so users can buy and sell crypto on the go.

Trustpilot stars 4.3 (960+ reviews) on Trustpilot
Legal
Terms (Platform) Compliance Statement Privacy Policy Terms (Corporate) Guidelines for Law Enforcement User Verification AML General Risk Disclosure
materialIcon

Onramp.Money is a global digital asset and Web3 infrastructure provider, operated by OMO LLC (Saint Vincent & the Grenadines, ID: 3049) globally, with operations in India and Europe through affiliated registered entities. Know more.

©2026 Onramp