Triage Logo
Triage Security
Request Beta Access

Global Payout & Compliance Policy

Triage
Last updated on

Purpose and scope

This policy explains where and how Triage can pay bug bounty rewards in crypto and fiat, and the baseline legal and compliance rules that apply. This policy may change as laws, regulations, and payment-partner coverage change. This policy is for general information only and does not constitute legal, tax, or investment advice. Your obligations depend on your situation and local laws.

Definitions

  • Triage / Triage Security / we / us: Triage AI Security, Inc., the company that operates the platform.
  • Researcher / you: A person who reports valid security vulnerabilities to programs hosted on our platform.
  • VDP (Vulnerability Disclosure Program): A program that accepts good-faith vulnerability reports, sometimes without guaranteed rewards.
  • BBP (Bug Bounty Program): A program that pays rewards for in-scope security vulnerabilities under defined rules.
  • Payout: A payment in fiat currency or crypto made by Triage to a researcher to recognize a valid security vulnerability reported under a VDP or BBP.
  • Crypto: A tradeable digital asset with a market value that can change over time. Currently supported payout assets: USDC, Ethereum (ETH), and Bitcoin (BTC).
  • KYC (Know Your Customer): Identity verification required to comply with law and payment-provider rules.
  • KYC data: Information used for verification and compliance, which may include legal name, date of birth, address, government ID numbers, ID documents, and biometric data (such as face images used for verification), depending on the verification method and provider.
  • Region: A country or territory and the laws that apply to it.
  • MiCA: The EU/EEA Markets in Crypto-Assets Regulation (and related implementing rules as applicable).

Where we support crypto and fiat payouts

We enable crypto and fiat payouts (through licensed third-party payment providers) for researchers located in the following regions, subject to payment-partner availability and compliance checks:

Australia; Austria; Belgium; Bulgaria; Canada; Croatia; Cyprus; Czech Republic (Czechia); Denmark; Estonia; Finland; France; Germany; Greece; Hungary; Iceland; Ireland; Italy; Japan; Latvia; Liechtenstein; Lithuania; Luxembourg; Malta; Netherlands; Norway; Poland; Portugal; Romania; Singapore; Slovakia; Slovenia; South Korea; Spain; Sweden; Switzerland; United Kingdom; United States of America.

Important:

  • Availability depends on our payment partners supporting payouts to your region and your ability to pass compliance checks.
  • We may add or remove regions and payment methods at any time for legal, compliance, operational, or partner-coverage reasons.

Payment partners and payout methods

  • Crypto payouts: We use Coinbase (or an equivalent licensed partner) to facilitate crypto payouts where supported.
  • Fiat payouts: We use Stripe (or an equivalent licensed partner) to facilitate fiat payouts where supported.
  • We also use sanctions screening, AML, and blockchain-analytics vendors to support compliance controls.

We do not operate a crypto exchange or order book, and we do not provide a custodial wallet for users. Payout rails and compliance checks are performed by Triage and/or our licensed partners as applicable.

General rules (all regions)

KYC, sanctions, and AML

  • KYC required: You must complete identity verification before receiving payouts.
  • Sanctions screening: We screen users (and where applicable, payout destinations/addresses) against U.S. and other applicable sanctions/watchlists. If you or your region is prohibited or flagged as high-risk by our screening providers, we may refuse or block payouts and/or close your account.
  • AML / fraud checks: We may apply additional checks, request additional documentation, delay payouts, limit payout methods, or refuse payouts if we detect elevated risk (including fraud, abuse, money-laundering risk, or policy violations).

Tax documentation and reporting

You are responsible for understanding and paying taxes owed in your jurisdiction on bounty rewards, including crypto rewards. We do not provide personal tax advice.

U.S. recipients (U.S. persons):

  • We will request a completed Form W-9.
  • We will issue the applicable U.S. tax forms (for example, Form 1099-NEC or Form 1099-MISC, as appropriate) when required by law based on the rules for the relevant tax year.

Non-U.S. recipients:

  • We will request the appropriate Form W-8 (for example, W-8BEN for individuals or W-8BEN-E for entities) to document foreign status.
  • We do not generally withhold U.S. tax from payouts to non-U.S. persons, but we reserve the right to withhold or report where required by law or by our payment partners.

Classification (independent contractors)

Researchers are treated as independent contractors, not employees. You are responsible for your own local tax filings and any social contributions. Triage’s role is limited to:

  • facilitating payouts via payment partners,
  • completing compliance checks, and
  • issuing any required tax reporting forms where applicable.

Record-keeping and data security

  • We keep KYC data, payout records, and sanctions/AML screening results for at least 5 years, and longer where required by law, by our payment partners, or for legitimate business and compliance needs.
  • We protect this data using reasonable security safeguards, including encryption and access controls, and restrict access to personnel with a need to know.
  • For details about how we handle personal data, please see our Privacy Policy.

Age limits

  • You must be 18 years of age or older to receive payouts on our platform.
  • Users aged 13–17 may be permitted to use the platform and submit reports where allowed by local law and program rules, but we will not send payouts to users under 18.
  • If you are under 18, we may record the amount associated with eligible reports in your account for tracking purposes. When you turn 18, you may request payouts after completing KYC and any additional checks, subject to then-current policies, partner availability, and applicable law.
  • We are not a bank or depository institution, do not provide deposit insurance (such as FDIC insurance), do not pay interest, and crypto values may go up or down over time.

Region-specific notes

Canada

We are not registered as a Canadian money services business (MSB) and do not hold ourselves out as providing MSB services. We facilitate payouts using licensed third-party payment providers where required.

EU / EEA

Based on our current business model, we do not intend to act as a crypto-asset service provider (CASP) for purposes of custody or exchange services for users’ crypto. We rely on regulated third-party payment partners (where applicable) to handle regulated crypto services.

United Kingdom

We do not operate as an FCA-regulated cryptoasset exchange or custodial wallet provider. We rely on third-party partners to handle regulated crypto services where applicable.

Singapore, Australia, Japan, South Korea

We do not operate local exchanges or custodial services in these regions. We use locally licensed partners where required by local law and treat payouts as payments to independent contractors.

Regions we allow crypto & fiat payouts with limits

For the following regions, we may support crypto and fiat payouts, but we may limit payout methods, amounts, or recipients for risk and compliance reasons:

Argentina; Brazil; India; Israel; Mexico.

For these regions:

  • Researchers are treated as independent contractors.
  • We may provide a statement of total payouts in USD-equivalent for your records.
  • You are solely responsible for determining and paying any taxes owed in your jurisdiction on bounty rewards, including those paid in cryptocurrency, subject to any withholding or reporting obligations that may apply to us under applicable law.
  • For legal and risk reasons, we may:
    • cap payout amounts per researcher,
    • restrict certain assets or payout rails,
    • require additional documentation or checks, or
    • delay or refuse payouts if required for compliance.
  • Where possible, we will offer a fiat payout option (for example, via partner-supported bank payouts) to support international collaboration.

Fiat-only regions

Some regions may restrict the use of crypto as a payment method. For the following region, payouts are limited to fiat currencies:

  • Vietnam
    • Researchers in Vietnam may use the platform and participate in programs where permitted.
    • We will not pay Vietnamese residents in crypto. We will offer fiat payouts only (such as partner-supported cross-border bank payouts where available).
    • We may maintain and update a “Fiat-Only” list for other regions where crypto payouts create elevated legal or operational risk.

Sanctioned and blocked jurisdictions

As a U.S.-based company, we must comply with U.S. sanctions laws and similar regimes. For legal and risk reasons, we will not conduct business (including payouts) with users located in any country or region subject to comprehensive U.S. sanctions (for example, Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine), or with any individual or entity that is prohibited under applicable sanctions laws or flagged by our sanctions-screening providers.

Because sanctions lists and risk ratings change frequently:

  • We do not publish a fixed, exhaustive list in this policy.
  • We maintain a “Blocked Jurisdictions” list in our systems based on official sanctions sources and our screening providers.
  • If your verified region of residence, IP address, payment details, or other information indicates you are in a blocked jurisdiction or are otherwise prohibited: you will not be able to receive payouts (crypto or fiat), and we may disable or close your account.

We reserve the right to update access and payout restrictions at any time to comply with new sanctions, export controls, or other legal requirements.

What we do and do not do (across all allowed regions)

Across all allowed regions, we will:

  • use KYC prior to payouts,
  • screen users (and where applicable, payout destinations) against sanctions and AML risk lists,
  • use external partners and compliance vendors where appropriate,
  • treat researchers as independent contractors,
  • make clear that researchers are responsible for their own local tax compliance,
  • reserve the right to block, delay, or refuse payouts or accounts for sanctions, AML, fraud, abuse, policy violations, or legal risk.

We will not:

  • operate a crypto exchange or order book for users,
  • operate a custodial crypto wallet for users or hold crypto “on behalf of” users,
  • transmit funds between users,
  • provide personalized legal, tax, or investment advice.

Contact

If you have questions about this policy or how it applies to you, contact us at [email protected].