Flipster Exchange security approach: Q&A on security certifications, bug bounties, and user protection

Amidst a volatile and evolving crypto market, crypto exchanges face a bigger adversary determined to compromise user data and funds. This week, we sat with Flipster’s Chief Information Security Officer (CISO), Justin Hong, for an exclusive interview. Hong opened up about how the crypto trading platform fortifies itself through certifications, product innovation, and real-time threat response.

According to Hong, Flipster has rolled out over 15 product-level security updates this year alone. These updates, paired with their ISO/IEC 27001 certification and an ‘AA’ rating from CER.live, assure users of a safe and secure trading environment.

Working at Flipster

Q: Hello Justin, please start telling us a bit about yourself, your role as Chief Information Security Officer, and why it is essential for Web3 companies. 

A: I’ve spent the past 16 years in cybersecurity, with experience across banking, fintech, and blockchain. Each space brings its challenges, and together they’ve shaped how I approach security, especially in Web3, where the stakes are uniquely high. The level of exposure here is unlike anything in traditional finance. There’s more user control, more innovation, and unfortunately, more attention from bad actors.

At Flipster, I lead the global security function, which covers everything from risk management and compliance to incident response and embedding international frameworks like ISO/IEC 27001 into our operations. Crypto moves fast, and threats evolve just as quickly. We build with that in mind—always thinking ahead, not just reacting.

Q: What is it like working at Flipster in the fast-paced, high-risk world of crypto trading platforms?

A: There’s a lot on the line, which is exactly what makes the work so rewarding. Security in this space isn’t passive. You’re up against some of the most creative and determined adversaries in tech. It keeps you sharp, and it forces you to keep evolving.

What stands out at Flipster is how aligned everyone is. The mission is clear: we’re here to build a secure, reliable trading platform that people can count on. You see that focus in the way we work—close collaboration, fast feedback loops, and constant testing. 

Q: How do you define trust at Flipster, and how is your team working to build and maintain it?

A: Trust builds over time through consistency—being transparent, clear, and accountable. We communicate how we manage risk, protect user funds, and respond to incidents. If something goes wrong, users deserve to know what happened and how it’s being addressed.

On the backend, we run a zero-trust model. Every system and user is treated with the same scrutiny, internal or external. That mindset helps us stay ahead of phishing threats and other insider risks. But security can’t come at the expense of user experience. We’re constantly refining features to make things more secure and more intuitive. When those two things work in harmony, users don’t have to choose between safety and usability.

Flipster’s ISO/IEC 27001 and CER.live certification

Q: Crypto platforms are becoming a ‘hotbed’ of security incidents, which in most cases result in the loss of substantial amounts of money. While working at Flipster, have you encountered such an attempt, and how did you go about containing it?

A: We’ve seen our share of incidents—DDoS attacks, phishing campaigns, and impersonation attempts, to name a few. These threats are real and constant.

Take DDoS, for example. Attackers have tried to disrupt our platform and even attempted ransom tactics. But we have built-in detection and mitigation controls at every layer, and our response teams are trained to act fast. In phishing scenarios, malicious actors have posed as job applicants or partners to try to trick our team into opening harmful files. Our systems are designed to catch these threats quickly, and we follow up with deep post-incident analysis to harden our defenses even further.

Q: Flipster recently received an AA certification from CER.live. What does the certification entail, and what does it mean for users?

A: 2018, CER.live has evaluated hundreds of exchanges using a rigorous methodology built on 18+ security indicators. It’s one of the more trusted independent benchmarks in the space.

For users, this kind of certification is a clear signal. It tells you a third party has vetted our platform and validated the quality of our security. Pair that with our ISO/IEC 27001 certification, and you start to see a picture of a company that takes trust seriously, not just in what we say but also in how we operate.

Q: Beyond the CER.live certification, what key security practices or protocols has Flipster recently implemented that users should be aware of?

A: We’ve rolled out over 15 product-level security features this year. Some key upgrades include passkey support, withdrawal locks, and address whitelisting. Each one gives users more control and adds another layer of protection.

I always recommend enabling both passkeys and the address book for withdrawals. These simple steps make a real difference. We’re also building new device management tools that will let users track and manage the devices accessing their accounts—another way we’re helping them stay in control.

Q: Some platforms have achieved an AAA rating from CER.live. Is this a goal for Flipster? What security measures are you working on to get there?

A: It’s on our radar, and we’re making steady progress. We’re focused now on strengthening server protections, rolling out anti-phishing tools, and giving users greater control through enhanced device management features.

At the end of the day, we’re not chasing badges, but chasing what actually improves the platform for our users. If something adds real value and strengthens our defenses, we build it. The AAA rating is a milestone, not the finish line.

Bug Bounty and security features

Q: How does Flipster ensure that white-hat hackers are incentivized in a way that aligns with the exchange’s long-term trust and transparency goals?

A: We’re working with Hackenproof on a public bug bounty program, giving researchers a clear, trusted path to share their findings with us. Their team reviews submissions for impact and quality, and we provide fair rewards based on severity.

Beyond finding bugs, it’s about engaging the global security community in our mission. When researchers know their work is valued and acted on, they’re more likely to help make the ecosystem stronger. It’s a win for everyone.

Q: As a CISO and a thought leader in the space, what advice would you give to other companies working to improve their security standards?

A: Get the basics right first. Most breaches happen because of basic oversights—missing patches, open permissions, weak access control. Get those right, and you’ll eliminate a huge portion of your risk.

Beyond that, invest in your people and your processes. You can have all the tools in the world, but if your teams aren’t trained or your incident playbooks aren’t tested, you’re vulnerable. Build a culture where security is everyone’s job, not just the CISO’s. That mindset shift can take time, but it’s worth every effort.

Q: Finally, social engineering attacks are also rampant in the space. What measures have you implemented to ensure that users are protected, or rather informed of attempts to compromise their accounts?

A: We consider social engineering in two buckets: account takeovers and fraudulent transfers. First, we’ve built in strong protections like passkeys, 2FA, real-time login alerts, and address whitelisting. Soon, we’ll add device management, too.

User education plays a big role in fraud prevention. We share regular security updates and are developing tools that flag suspicious or known scam addresses. The goal is to give users both the knowledge and the tools to stay safe. A well-informed user is one of the best lines of defense.