Don’t invest unless you’re prepared to lose all the money you invest. This is a high‑risk investment and you should not expect to be protected if something goes wrong. Take 2 mins to learn more.

Bug Bounty

Our bug bounty program offers Bitcoin rewards to anyone who discovers a new vulnerability in our code.

Find our flaws

What are we looking for?

Bug Bounty - Cross Site Scripting.svg

Cross-site scripting

Bug Bounty - Cross Site Request Forgery.svg

Cross-site request forgery

Bug Bounty - Remote Code Execution.svg

Remote code execution

Bug Bounty - Click Jacking.svg


Bug Bounty - Code Injection.svg

Code injection

Bug Bounty - Leaks of Sensitive Data.svg

Leaks of sensitive data

How it works

In order to claim a bug bounty, you must:

  • Discover an entirely unknown vulnerability.
  • Alert us before posting the bug anywhere else – and give us sufficient time to patch the issue.
  • Not use the exploit to steal money or data from CoinJar or its customers. If the exploit requires account access, you must use your own.

If you have any doubts or questions, email us at

Ineligible bounties

We don’t reward bounties for any vulnerabilities not under our direct control. For example:

  • Social engineering
  • Issues requiring physical access to hardware
  • Vulnerabilities in 3rd party software (Ruby, nginx, etc)
  • Denial of Service
  • Usability issues

Report a bug

Please fill out the form below to report an issue. Include as much detail about the exploit as you can and a BTC address for us to send the reward to. Our Security Team will get back to you as soon as possible.

Your information is handled in accordance with CoinJar’s Privacy Policy.

App storeApp store

Your information is handled in accordance with CoinJar’s Privacy Policy.

Cryptoassets traded on CoinJar UK Limited are largely unregulated in the UK, and you are unable to access the Financial Service Compensation Scheme or the Financial Ombudsman Service. We use third party banking, safekeeping and payment providers, and the failure of any of these providers could also lead to a loss of your assets. We recommend you obtain financial advice before making a decision to use your credit card to purchase cryptoassets or to invest in cryptoassets. Capital Gains Tax may be payable on profits. CoinJar’s digital currency exchange services are operated in the UK by CoinJar UK Limited (company number 8905988), registered by the Financial Conduct Authority as a Cryptoasset Exchange Provider and Custodian Wallet Provider in the United Kingdom under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended (Firm Reference No. 928767).

The CoinJar Prepaid Mastercard is issued by EML Money DAC pursuant to a license by Mastercard. EML Money DAC is regulated by the Central Bank of Ireland. EML Money DAC is authorised and regulated as an issuer of electronic money by the Central Bank of Ireland under registration number C95957. EML Money DAC is deemed authorised and regulated by the Financial Conduct Authority. Details of the Temporary Permissions Regime, which allows EEA-based firms to operate in the UK for a limited period while seeking full authorisation, are available on the Financial Conduct Authority’s website. Registered office: EML Payments, 2nd Floor La Vallee House, Upper Dargle Road, Bray, Co. Wicklow, Ireland. Company Registration number: 423276.

Apple Pay and Apple Watch are trademarks of Apple Inc. Google Pay is a trademark of Google LLC.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

CoinJar logo
CoinJarGet the app.