AgoraDesk will be winding down

The winding down process begins May 7th, 2024, and finishes on November 7th, 2024. Our support staff will be available for help throughout this period.
  1. Effective immediately, all new signups and ad postings are disabled;
  2. On May 14th, 2024, new trades will be disabled as well;
  3. On November 7th, 2024, the website will be taken down. Please reclaim any funds from your arbitration bond wallet prior to that date, otherwise the funds may be considered abandoned/forfeited.

AgoraDesk Whitehat Program For Security Researchers

Responsible Disclosure

Responsible disclosure includes:
    1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
    2. Making a good faith effort to not leak or destroy any AgoraDesk user data.
    3. Not defrauding AgoraDesk users or AgoraDesk itself in the process of discovery.
In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.


In general, anything which has the potential for financial loss or data breach is of sufficient severity is eligible, including:
    • XSS
    • CSRF
    • Authentication bypass or privilege escalation
    • Click jacking
    • Remote code execution
    • Obtaining user information
    • Accounting errors
In general, the following would not meet the threshold for severity:
    • Lack of password length restrictions
    • Session-related issues (session fixation etc.)
    • Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.
    • Self-XSS
    • Denial of service
    • Spamming
    • Vulnerabilities in third party applications which make use of the AgoraDesk API
    • Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device(s)
    • Logout CSRF
    • User existence/enumeration vulnerabilities
    • Password complexity requirements
    • Reports from automated tools or scans (without accompanying demonstration of exploitability)
    • Social engineering attacks against AgoraDesk employees or contractors
    • Text-only injection in error pages
    • Automatic hyperlink construction by 3rd party email providers
    • Using email mutations (+, ., etc) to create multiple accounts for a single email
AgoraDesk will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.
Please note, while we are still a growing startup we are unable to provide enormous compensation.


Please send a detailed step-by-step instruction on how to reproduce the bug to to
By submitting a bug, you agree to be bound by the above rules.
Known issues SHA256.

Thank you for helping keep the cryptocurrency community safe!