Disclaimer: This article is for informational purposes only and does not constitute financial advice. BitPinas has no commercial relationship with any mentioned entity unless otherwise stated.
📬 Get the biggest crypto stories in the Philippines and Southeast Asia every week — subscribe to the BitPinas Newsletter.
Locally licensed crypto exchange Coins.ph has been running its bug bounty program for seven months now on security platform Secuna, an external channel for individuals, specifically security researchers, to report vulnerabilities on the company’s platform and services.
Coins.ph’s Bug Bounty Program
Launched on August 14, 2025, the crypto exchange’s bug bounty program aims to identify high‑impact classes such as cross‑site scripting (XSS), cross‑site request forgery (CSRF), authentication and authorization flaws, server‑side request forgery (SSRF), SQL injection (SQLi), remote code execution (RCE), insecure direct object references (IDOR), account takeover (ATO), and sensitive data exposure.
According to Coins.ph, the program is designed to spot software vulnerabilities that impact its services.
“Coins.ph recognizes the importance and value of security researchers’ efforts in helping to keep our services safe. We encourage responsible disclosure of vulnerabilities via our public bug bounty program.”
Coins.ph
However, it should be noted that its policy excludes theoretical reports without working proof‑of‑concepts, phishing and social‑engineering attacks, denial‑of‑service testing, issues requiring physical access, and certain low‑impact configuration or header findings unless a practical exploit is shown.
Individuals who will join the program are required to use only their own or explicitly permitted test accounts and to avoid destructive actions or broad access to user data while testing.
Interested researchers can join this link to learn more about the program’s guidelines and rules.
Report Process and Rewards
Individuals and researchers who want to report any bug must include detailed, reproducible proof‑of‑concepts. According to Coins.ph, its team is committed to acknowledging valid submissions within 72 hours and to collaborating with reporters during remediation.
If a bug report has been successful, the researcher will be required to complete identity verification, which may include submission of government identification and additional documentation before they will receive their rewards.
The program’s policy also assures that good-faith security research conducted within its rules will be treated as authorized and will not prompt legal action by the company.
Rewards (Severity + Price):
- Low $25
- Medium $500
- High $1,000
- Critical $5,000
Researchers of successful reports are also required to claim their rewards in the next 12 months, and Coins.ph expressed that unclaimed rewards will be donated to a charity of its choice.
As of writing, 98 individuals and researchers have already joined the bug bounty program, but only two reports have been successful and resolved.
Coins.ph’s Security Issue
On the night of March 7, 2026, Coins.ph users reported that they were receiving unauthorized push notifications from the exchange’s mobile app that redirected them to a malicious website.
The push notification warns them that their accounts are at risk of suspension due to unusual activity or new anti-money laundering regulations.
Coins.ph has acknowledged the reports and issued a security advisory, with its community managers reminding users to not click any links as internal investigations were happening.
Worth Reading: Coins.ph Users Report Suspicious In-App Push Notifications Leading to Phishing Sites; Exchange Investigating
This article is published on BitPinas: Cybersecurity Platform Secuna Hosts Ongoing Bug Bounty Program for Local Exchange
What else is happening in Crypto Philippines and beyond?
