← Back to home
Bug Bounty
Aperture guards real money. If you find a way to break it, we want to hear from you — and we’ll pay you for it.
Critical
$50,000
Key/seed extraction, remote fund theft
High
$15,000
Unauthorized signing, bypass of auth
Medium
$4,000
Sensitive data exposure, spoofing
Low
$500
Minor leaks, hardening issues
In scope
- The Aperture iOS app and its published source code.
- Key generation, storage, encryption, and signing flows.
- Transaction construction, address handling, signing, and broadcast logic.
- Networking, backup and restore, import and export, and local encrypted storage surfaces.
Out of scope
- Issues in third-party chains, RPC nodes, explorers, market or FX providers, GitHub, Apple, or other external services.
- Social engineering, phishing, or physical attacks on users.
- Reports requiring a jailbroken/compromised device or stolen unlocked phone.
- Theoretical issues without a working proof-of-concept.
Rules of engagement
- Test only against your own wallets and funds. Never touch another user’s assets.
- Report privately and give us reasonable time to fix before any disclosure.
- One report per issue, with clear reproduction steps and a proof-of-concept.
- Rewards are at our discretion, based on severity, impact, and report quality.
How to report
Email care@aperturex.io with full details. For sensitive reports, request our PGP key in your first message. We aim to acknowledge within 48 hours and triage within 5 business days. We will never take legal action against good-faith research that follows these rules.