BCS Investments
Company: БКС Мир ИнвестицийBCS Investments is a financial holding company with a 30-year history, providing clients with the widest possible range of brokerage and investment services. Our Bug Bounty program is designed to collaborate with security researchers to identify and fix vulnerabilities in our products. We guarantee a fair reward for your findings and strive for transparent collaboration.
Security team contact information:
Email: cybersec@bcs.ru
Email: cybersec@bcs.ru
Rewards are paid to individual entrepreneurs and self-employed persons
Program description
During the period from November 12, 2025 to November 30,2025 there is a promotion - double payouts for valid vulnerabilities of the High and Critical levels .
Scope
Main services
The program covers the following key BCS Broker products:
BCS Investments (web and mobile applications)
Domains below:
Domains below:
-
as well as *.bcs.ru (except lkbank.bcs.ru)
-
Android : latest stable version from https://bcs.ru/
-
iOS : latest stable version from https://bcs.ru/
Exceptions to scope
Not included in the program:
- Staging (domains with dev, stage, sandbox, alpha, beta, test, preprod).
- Third-party services (e.g. payment systems or partner services).
Rewards
Payout Table
The reward is paid only if the security team deems all conditions and rules met. The reward is paid according to the table below:
• Critical – up to 500,000 rubles as part of the promotion until November 30,2025
• High – up to 240,000 rubles - depending on the assessment of the consequences as part of the promotion until November 30,2025
• Medium – up to 50,000 rubles – depending on the damage assessment
• Low – up to 10,000 rubles – depending on the damage assessment
• Info - missing
• High – up to 240,000 rubles - depending on the assessment of the consequences as part of the promotion until November 30,2025
• Medium – up to 50,000 rubles – depending on the damage assessment
• Low – up to 10,000 rubles – depending on the damage assessment
• Info - missing
The amount of the reward paid is final and not subject to discussion.
Traffic identification
- Add a header to all requests:
X-BCS-BugBounty: < Your token >
To whitelist our security system, we issue special tokens to each user. To receive one, please send a request to support@standoff365.com from the email address you registered your Standoff account with.
Priority vulnerabilities
Critical Vulnerabilities
We are particularly interested in critical server-side vulnerabilities and accept the following types of vulnerabilities:
- Remote Code Execution (RCE)
- Injections (e.g. SQL/XML)
- SSRF (Server-Side Request Forgery)
- LFI/RFI
- Path Traversal
- Authentication/authorization flaws (including those leading to account compromise)
- IDOR ( Insecure Direct Object References ) with demonstration of identifier enumeration logic where possible
- Business logic vulnerabilities (e.g. bypassing transaction limits)
- XSS/CSRF with impact on sensitive data (a critical rating is assigned only if a vulnerability is demonstrated that could potentially lead to mass disclosure of personal data , banking secrecy, or account theft)
- Disclosure of sensitive information
- Insecure Deserialization Vulnerabilities
Lowest Priority Vulnerabilities
the anti-bot is implemented and working
- XSS attacks without confirmation of real influence
Exceptions to the program
Reports on:
- Reports of vulnerabilities in services not related to the BCS system;
- Reports of fraudulent schemes or abuse of legitimate functionality (we recommend sending such reports to the support chat; there is no reward for such reports as part of the bug bounty );
- Issues that are not related to security;
- Messages about possible DDoS attacks;
- Credential stuffing - using leaked credentials to log into various systems (except in cases of disclosure of accounts to administrative systems);
- Information about IP addresses, DNS records and open ports;
- Reports of the use of phishing and other social engineering techniques;
- Reports from vulnerability scanners and other automated tools;
- Messages about publicly accessible login panels, excluding administrative panels;
- Messages about the absence of HTTPS;
- Reports information about insecure SSL/TLS configuration, without demonstrating the impact;
- Clickjacking ;
- HTTP codes/pages or files containing non-confidential information;
- Disclosure of public information about users;
- Bypass root and jailbreak checks ;
- Messages about the possibility of reverse engineering mobile applications.
- CSRF without showing impact, Logout CSRF
- Incorrect SPF/DKIM/DMARC/DNS settings.
- Attacks involving physical access to the user's device
# Testing rules
General rules
• Current employees of FG BCS or persons affiliated with them, as well as employees of organizations performing work for FG BCS, are not allowed to participate. These restrictions remain in effect for one year from the date of termination of the contractual relationship.
• For testing, use only your own accounts or the accounts of users who have expressly given their consent. Do not attempt to access other people's accounts or any confidential information.
• When searching for vulnerabilities, you should avoid compromising the confidentiality, integrity and availability of information in our services.
• Any activity that could cause damage to the company's applications, infrastructure, customers, and partners is prohibited. Examples of prohibited actions include social engineering, denial-of-service attacks, and physical impact on infrastructure.
• To confirm the presence of a vulnerability, use the minimum possible POC ( Proof of Concept). If this could impact other users or the system's functionality, please contact us for permission. Further exploitation of these vulnerabilities is strictly prohibited.
• If a 0-day or 1-day vulnerability is discovered and a patch has been released for less than two weeks, they may be considered duplicates.
• Automatic scanning should be limited to 5 requests per second.
• FG BCS may change the terms of this program, including terminating it, at any time unilaterally and at its sole discretion without prior notice. Changes will take effect from the moment the updated version is posted on the platform.
• For testing, use only your own accounts or the accounts of users who have expressly given their consent. Do not attempt to access other people's accounts or any confidential information.
• When searching for vulnerabilities, you should avoid compromising the confidentiality, integrity and availability of information in our services.
• Any activity that could cause damage to the company's applications, infrastructure, customers, and partners is prohibited. Examples of prohibited actions include social engineering, denial-of-service attacks, and physical impact on infrastructure.
• To confirm the presence of a vulnerability, use the minimum possible POC ( Proof of Concept). If this could impact other users or the system's functionality, please contact us for permission. Further exploitation of these vulnerabilities is strictly prohibited.
• If a 0-day or 1-day vulnerability is discovered and a patch has been released for less than two weeks, they may be considered duplicates.
• Automatic scanning should be limited to 5 requests per second.
• FG BCS may change the terms of this program, including terminating it, at any time unilaterally and at its sole discretion without prior notice. Changes will take effect from the moment the updated version is posted on the platform.
Policy for RCE/ SQLi
Allowed:
• Executing commands: ifconfig , hostname , whoami , id .
• Reading files : /etc/passwd, /proc/sys/kernel/hostname.
• Create and delete files in / tmp /.
• Executing commands: ifconfig , hostname , whoami , id .
• Reading files : /etc/passwd, /proc/sys/kernel/hostname.
• Create and delete files in / tmp /.
SQL injection testing restrictions:
Only the following actions are permitted:
• Getting information about a database: SELECT database ( ), SELECT @@version.
• Receipt schemes bases data : SELECT table_schema, SELECT table_name.
• Perform logical queries without retrieving data.
Forbidden:
• Change or delete data.
• gain access to confidential data.
• Destructive commands (for example - rm , shutdown ).
• Receipt schemes bases data : SELECT table_schema, SELECT table_name.
• Perform logical queries without retrieving data.
Forbidden:
• Change or delete data.
• gain access to confidential data.
• Destructive commands (for example - rm , shutdown ).
# Limitations on testing file loading and reading
Testing for vulnerabilities that could lead to arbitrary file reading on the server or arbitrary file uploading should be performed according to the guidelines below.
Prohibited actions when downloading files:
• Changing, modifying, deleting or replacing any files on the server (including system files), except those associated with your account or with the account of a user who has expressly consented.
• Uploading files that may cause a denial of service (e.g. large files).
• Downloading malicious files (such as malware or spyware).
• When gaining the ability to read arbitrary files on the server, any actions other than reading files such as / etc / passwd and / proc / sys / kernel / hostname are prohibited
If other actions are required, they must be agreed upon with the DIB team,
Prohibited actions when downloading files:
• Changing, modifying, deleting or replacing any files on the server (including system files), except those associated with your account or with the account of a user who has expressly consented.
• Uploading files that may cause a denial of service (e.g. large files).
• Downloading malicious files (such as malware or spyware).
• When gaining the ability to read arbitrary files on the server, any actions other than reading files such as / etc / passwd and / proc / sys / kernel / hostname are prohibited
If other actions are required, they must be agreed upon with the DIB team,
Determining the criticality of a vulnerability
We reserve the right to make the final determination regarding the severity of any identified vulnerability. After receiving a report, we conduct an internal investigation and determine the severity level based on a number of factors, including:
• The level of privilege required to carry out the attack;
• Difficulty of detection and exploitation;
• Presence of a requirement for user interaction;
• Impact on the integrity, availability and confidentiality of the affected data;
• Potential financial losses/reputational and regulatory risks;
• Number of affected users.
• Difficulty of detection and exploitation;
• Presence of a requirement for user interaction;
• Impact on the integrity, availability and confidentiality of the affected data;
• Potential financial losses/reputational and regulatory risks;
• Number of affected users.
- In case of duplication, the reward will be paid only for the first report.
- If a vulnerability fix from a previous report fixes a vulnerability in a new report, the reward will only be paid for the original report.
- An identical error in the same function/function of a mirror/brand/regional domain will be considered a duplicate.
Disclosure Policy
Public discussion of vulnerabilities is prohibited without written permission from the BCS security team.
Reports with insufficient information or duplicates will be rejected.
We reserve the right to refuse any request for public disclosure of the report.
Reports with insufficient information or duplicates will be rejected.
We reserve the right to refuse any request for public disclosure of the report.
Reporting Requirements
Mandatory items
- Vulnerability type
- Vulnerability Description: A detailed explanation of the issue, indicating its severity.
- Reproduction steps: Step-by-step instructions.
- PoC ( Proof of Concept): Example queries, screenshots, videos, and program code
- Fix Recommendations: Suggestions for troubleshooting.
Report format
Send reports in DOCX/PDF format.
Use the template:
• Vulnerability: [Name]
• Description:
• Playback steps:
• PoC :
• Recommendations:
Use the template:
• Vulnerability: [Name]
• Description:
• Playback steps:
• PoC :
• Recommendations:
FAQ
How to avoid blocking?
Please adhere to the request limit (5/sec).
Use the header X-BCS- BugBounty .
Use the header X-BCS- BugBounty .
How to track the report status?
Response within 20 working days.
Status updates in your personal account on the platform
Status updates in your personal account on the platform
Conclusion
BCS values the contribution of every researcher to the security of our services. We strive for open dialogue and are ready to reward your efforts. Thank you for participating in the BCS Bug Bounty program!