← Back to home

Bug Bounty

Aperture guards real money. If you find a way to break it, we want to hear from you — and we’ll pay you for it.

Critical
$50,000
Key/seed extraction, remote fund theft
High
$15,000
Unauthorized signing, bypass of auth
Medium
$4,000
Sensitive data exposure, spoofing
Low
$500
Minor leaks, hardening issues

In scope

  • The Aperture iOS app and its published source code.
  • Key generation, storage, encryption, and signing flows.
  • Transaction construction, address handling, signing, and broadcast logic.
  • Networking, backup and restore, import and export, and local encrypted storage surfaces.

Out of scope

  • Issues in third-party chains, RPC nodes, explorers, market or FX providers, GitHub, Apple, or other external services.
  • Social engineering, phishing, or physical attacks on users.
  • Reports requiring a jailbroken/compromised device or stolen unlocked phone.
  • Theoretical issues without a working proof-of-concept.

Rules of engagement

  • Test only against your own wallets and funds. Never touch another user’s assets.
  • Report privately and give us reasonable time to fix before any disclosure.
  • One report per issue, with clear reproduction steps and a proof-of-concept.
  • Rewards are at our discretion, based on severity, impact, and report quality.

How to report

Email care@aperturex.io with full details. For sensitive reports, request our PGP key in your first message. We aim to acknowledge within 48 hours and triage within 5 business days. We will never take legal action against good-faith research that follows these rules.