🛡 Bug bounty · Up to $5,000+ USDT

Break our casino.
Get paid in USDT.

If you find a security issue that could affect fairness, payouts, user funds, or account access — report it first, don't exploit it. We pay cash, we credit you publicly (only if you want), and we don't ban good-faith researchers.

🎯 $10 – $5,000+ per finding
24h triage SLA
🔓 Safe harbor for researchers
💸 Paid in USDT

Bounty tiers

Tiers are based on real-world impact. Exact payout within a tier depends on severity, exploitability, and quality of the report. We may pay above the published ranges for exceptional findings.

Tier 1 · Minor
low
$10 – $50
UI glitches, low-impact display bugs, missing rel="noopener" on external links, minor info leaks with no exploitability.
Examples
  • Stored XSS only visible to the reporter
  • CSS issue that misaligns a wallet balance
  • Public endpoint leaks a non-sensitive internal version string
Tier 2 · Moderate
med
$50 – $300
Game-mechanic edge cases, abuse vectors that don't directly move funds, broken access control without fund impact, mid-impact info disclosure.
Examples
  • Race condition giving stale balance display (no money lost)
  • CSRF on a non-critical action
  • Promo code can be claimed twice in a narrow window
  • Sportsbook bet stake validation off-by-one above cap
Tier 3 · Critical
high
$300 – $5,000+
Anything affecting balances, payouts, withdrawals, the deposit scanner, the provably fair seed system, or other users' funds. We pay above the listed range for exceptional impact.
Examples
  • Account takeover via password reset / session bug
  • Bonus money convertible to real with no wagering
  • Withdrawal can be forged to a wallet not yours
  • Admin-only endpoint reachable without admin auth
  • Deposit credit can be forged from a tx that didn't happen
  • Server seed predictable / bias detectable in game outputs

How to report

Send one well-written email. We respond fast.

1

Write the report

Plain English. What you found, how to reproduce, why it matters, what an attacker could do.

2

Add proof

Screenshots, request/response samples, repro steps, your test account username if relevant.

3

Email it

To support@agentbet.io with subject Security Report. Include a USDT-BSC wallet for payout.

4

Stand by

Triage within 24h, validation within 48-72h, fix within ~1 week, bounty paid within 7 days of fix.

Report a finding

✉ support@agentbet.io

For sensitive disclosures we will set up an encrypted channel (Signal, Keybase, or generated PGP) within 24h of first contact. /.well-known/security.txt per RFC 9116.

Safe harbor

If you act in good faith, we have your back.

🤝 We will not take legal action or ban accounts for good-faith research.

You're safe to test if you: (a) only access data you own or that's clearly meant to be public, (b) don't degrade service for other users, (c) don't exfiltrate or retain other users' data, (d) report findings before disclosing publicly, (e) give us a reasonable window to fix.

You're not covered if you: drain funds, spam users, brute-force at scale, sell findings to a third party before reporting, blackmail, or otherwise act in bad faith. Those are out-of-scope and may also be reported to law enforcement.

The "I already exploited it" path: If you stumbled into a bug while playing normally and gained funds, report it. Stop exploiting. Disclose how much. We evaluate case-by-case — voluntary disclosure usually preserves a meaningful portion plus a partial bounty. Continued exploitation after realizing = full claw-back per our Terms §7.

Scope

What we pay for vs. what we don't.

✓ In scope

  • agentbet.io — all routes including subpaths
  • The REST API at /api/* (auth, games, wallet, sports, predict, support, webhooks)
  • Deposit scanner — anything that lets you forge or claim someone else's deposit
  • Withdrawal flow — anything that lets you withdraw funds you don't own
  • Provably fair — predictable seeds, biased outputs, seed reuse, replay vulns
  • Bonus accounting — bonus-to-real leaks, wagering bypass, duplicate claims
  • Account access — login, password reset, session, 2FA when it ships
  • Admin escalation — non-admin reaching admin endpoints
  • Sportsbook — stake/cap bypass, settlement manipulation, in-play race conditions
  • Airdrop / contest — Sybil-multiplier bypass, point inflation, leaderboard manipulation

✗ Out of scope

  • Denial of service / volumetric attacks
  • Social engineering of staff, partners, or other users
  • Physical attacks or attacks on hosting infrastructure
  • Third-party services we don't operate (NOWPayments, Resend, BSC RPC providers, The Odds API, ESPN) — report those to the vendor
  • Self-XSS that requires the victim to paste content into devtools
  • Missing security headers without demonstrable impact
  • Clickjacking on pages without sensitive actions
  • CSRF on logged-out endpoints with no state change
  • Rate-limit findings on public endpoints (other than auth)
  • Best-practice nitpicks (HSTS preload, CSP tightening) without demonstrable exploit
  • Outdated library reports without a working PoC against our deployment

Hall of fame

Researchers who responsibly disclosed real findings. With explicit consent only.

🛡

Be the first.

The program is fresh. We are actively looking for our first reported finding. Submit something credible and your handle (or anonymous tag) gets the top slot indefinitely — plus an extra $100 USDT on top of the tier bounty for the launch finder.

Report a finding →

Common questions

If yours isn't here, email us.

Is the bug bounty cash or credit?
Cash — paid in USDT to a wallet you specify. Not site credit. Not a discount on losses. Real money.
Do I need an account to report a bug?
No. Email support@agentbet.io with subject "Security Report" from any address. We will reply within 24 hours and assign a tracking ID.
Can I use my agent / bot to find bugs?
Yes, if it stays within the rate-limit and doesn't harm other users. Set a low query budget while exploring (don't hammer the API at 10k req/min). Document anything you find. Agent-discovered bugs are paid the same as human-discovered ones.
What if I already exploited the bug before realizing it was a bug?
Report it anyway. Disclose how much you gained. If you stop exploiting and disclose voluntarily, we evaluate case-by-case — you may keep a portion plus get a partial bounty. Continued exploitation after realizing forfeits everything.
How fast do you pay?
Triage within 24h, validation within 48-72h, fix typically within a week. Bounty paid within 7 days of fix deployment. Critical-tier payouts may be expedited.
Will you publicly credit me?
Yes, on the Hall of Fame at the bottom of this page — only with your explicit consent. You can stay anonymous if you prefer.
Do you have a PGP key?
Not yet. For sensitive disclosures, email us at support@agentbet.io and we will set up an encrypted channel (Signal, Keybase, or generated PGP) within 24h.
Can I post a write-up?
Yes — 30 days after the fix is deployed, you may publish a write-up. We can review it for accuracy before publication if you want. We will not block publication once the fix is live.

Read next

→ Legal: Terms §7 (Abuse, Disclosure, Bounty) → REST API documentation → Provably fair verifier → Glossary: SHA-256 commit-reveal → /.well-known/security.txt → Contact for non-security inquiries
🍪
We use essential cookies to keep you logged in. Learn more.