Upbit is committed to providing a secure environment for digital asset trading. If you believe you have found a security vulnerability in an official Upbit SDK or project, please report it to us privately.
- Reporting Channel: https://bugbounty.upbit.com/
Please do not disclose the issue publicly until we have had a chance to investigate and address it. This is critical to protecting the assets and privacy of our users.
To help us prioritize and triage your report, please include:
- Description: A detailed description of the issue and its potential impact on financial transactions or user data.
- Target: Affected project name (e.g., upbit-python-sdk) and version.
- Environment: Runtime version (e.g., Python 3.11, Node.js 20) and OS.
- Proof of Concept: Step-by-step instructions, sample code, or requests to reproduce the issue.
- Sensitive Data: Please do not include live Access Keys, Secret Keys, JWTs, or unnecessary personal or account data in your report. If sensitive material would be required to reproduce the issue, note that in your report and wait for further instructions.
To protect our community, we ask that you:
- Maintain Confidentiality: Keep vulnerability details private until a fix or mitigation is officially released. Even after a fix or mitigation is released, please do not publicly disclose any vulnerability details without prior written permission from Upbit.
- Data Integrity: Avoid accessing, modifying, or deleting any data that does not belong to you.
- Service Continuity: Avoid actions that may degrade service availability or harm other users.
- Good Faith: Act within the bounds of responsible disclosure and ethical hacking.
Upbit will make reasonable efforts to:
- Acknowledge receipt of your report
- Investigate and validate the reported issue thoroughly.
- Work on a fix or mitigation and release an updated SDK, project, or guidance where applicable
- Keep you informed of our progress during the triage and remediation process.