Bug Bounty Program

Help us keep our licensing secure — we'll pay you for it.

1

Scope

Only one thing is in-scope: any way to run our product without a valid, paid licence. Cracks, patches, keygens, response forgery, HWID spoofing, cache reuse — anything that results in a working unlicensed client.

Out-of-scope: Issues that don't lead directly to unlicensed use of the product — DoS, info disclosure, hardening suggestions, UI bugs, and similar. These reports are still welcome and the author will be credited, but they fall outside the paid bounty.

2

Severity & Payouts

Payouts are based on one thing: how easily someone could use the product without paying. The more universal and reliable the bypass, the bigger the reward.

Severity What qualifies Payout (USD)
CRITICAL Universal, repeatable unlicensed use. A method that works for anyone, on any machine, without a paid licence.
  • Forge a valid licence response the client accepts
  • Working keygen / serial generator for our licence format
  • MITM the licence check and inject a success response the client trusts
  • A patched / cracked build that runs fully functional with no server contact and no per-machine binding
  • Any break that lets unlimited people use the product for free
 $1,500 – $3,000
HIGH Partial bypass — works, but limited.
  • HWID spoofing that lets a single paid key run on multiple machines
  • Copying activated state from a licensed machine to an unlicensed one and it keeps working
  • Patching the HWID or licence-check routine in one binary to accept any key
  • Replaying another customer's valid response to unlock your own install
 $500 – $1,000
LOW Theoretical / heavy effort per user. A bypass that technically works but is slower or harder than just buying the product. Example: extracting hardcoded keys that still require complex steps to weaponize. $50 – $150
OUT OF SCOPE Non-auth issues — DoS, crashes, info leaks, best-practice suggestions, UI bugs, hardening. Author will be credited. Credit
Note: Final payout inside a range is decided by how universal and reliable the bypass is. A one-click crack anyone can run is worth the top of the range; a theoretical break with 20 manual steps is worth the bottom.
3

How to Report

Send your report privately on Telegram:

@PureCoder_Seller_Bot

Your report must include:

  1. Vulnerability description
  2. Step-by-step reproduction
  3. Proof of concept (patched binary, script, or short video)
  4. Impact — what exactly does this let an attacker do
  5. Suggested fix (optional — including a good fix increases your payout)
4

Rules

  1. Please keep findings private. We ask that reports stay confidential — no blog posts, tweets, CVE filings, writeups, forum posts, or sharing with third parties, before or after the fix. Public disclosure voids the payout and future eligibility.
  2. First valid reporter only. Duplicates get credit but no payout.
  3. Do not test against other customers' licences or production data beyond your own account / test licence.
  4. Payout in BTC after the fix is deployed.
  5. All submitted materials (PoC, patched binaries, notes) become confidential property of PureCoder and must be deleted by the reporter after payout.
  6. Please don't share patched or cracked builds with anyone else. Distribution voids the payout and takes the work outside the scope of security research.
5

Response SLA

Triage within 72 hours
Critical fix within 7 days
High fix within 30 days
Low fix within 90 days

Found a way to bypass our licence?

Report it privately and we'll reward you for it.

Contact @PureCoder_Seller_Bot
Back to Homepage