Security Researchers

I'm under 13 years of age and what is this?

We allow bug bounty payments to any age. However, the Children's Online Privacy Protection Act limits our ability to collect personal identifiable information (PII) from children under 13 years of age, so you will need to claim your bug bounties through your parent or legal guardian.

Can I donate my bug bounty to a charity?

Of course! Some companies on our platform, or even us at Secuna, may also increase the donation value in the event you decide to donate.

Just let us know if you'd like to donate the bug bounty to a charity and we'll be the one to contact and process the donation for you.

Why did I not receive the full bounty awarded to me?

Bug bounties are currently disbursed through PayPal and depending on his/her location, the recipient is responsible for any fees incurred.

You can review PayPal's transaction fee table and policy here.

Why can’t I receive payments in my currency?

Our 2 main payout providers are PayPal and Bitcoin. You can only receive payments in the currencies these 2 options provide. If they don’t support your specified currency, then you unfortunately can’t receive payments in that currency. A work around for this is to receive your payment in US dollars and then have the funds converted to the currency you desire.

When and how do I get my bug bounties?

Valid and accepted security vulnerability submitted to a bug bounty program on Secuna will result in a bug bounty payment to your account. After your submission is accepted by the program owner or Secuna Infosec Team, your reward will be paid out the following Friday. Note that for us to pay you on time, the program owner will need to send us the bug bounty payment before 12:00am GMT+8 Friday morning.

Secuna offers these 2 payout methods for monetary awards:

PayPal - As soon as the payment is initiated, you'll receive your award instantly, given that your PayPal account is set up to properly receive the amount of money Secuna is trying to send.

Bitcoin through Paylance - As soon as the payment is processed, you'll receive your award instantly.

Have more questions about getting paid? Reach out to team for more information.

What rewards can I get?

There are three main rewards that you could possibly get:

Points – The Secuna platform awards you points when you submit a valid security vulnerability depending on the severity level. Using these points, you have a better chance to get invited to our private security programs.

Bug Bounty – It is a financial compensation that you receive from a security program when you submit a valid security vulnerability to their bug bounty program.

Swag - You can also earn Swag from different security programs by reporting a valid security vulnerability.

Is it okay or allowed to use automated vulnerability scanners while performing security research?

We do not recommend security researchers in running automated vulnerability scanners against the companies that use our platform.

We highly recommend reading the vulnerability disclosure policy of each security program because some of them allow you to use scanners against their assets.

How long will it be after the bug I submitted is validated?

Response time can vary by the security program, security programs that are managed by Secuna typically have a faster response time. Please give at least a week before you request a follow-up.

What is the KYC process?

We require security researchers to complete the KYC process before we let them browse in our platform and report to any open security programs.

KYC Process

  1. Creation and verification of your Secuna account.

  2. Background Research and Identity Verification.

  3. Video Interview

In the following months, we will implement Technical Assessment.

What are the rules?

Before you get started, we extremely recommend you to read our Terms and Conditions, Privacy Policy, and Disclosure Policy to learn what is expected from you. We want to make sure that we're all on the same page before you join Secuna and participate in our security programs.

I found a security vulnerability in an organization that is not listed on your platform. What should I do?

If you are unable to find a published vulnerability disclosure policy for the organization, you can email us at, and we'll try to help.

You may also report it via Coordinated Vulnerability Disclosure Assistance:

Last updated