We offer large security bounties for responsibly reporting security vulnerabilities in bitcointalk.org. We have paid over $19 000 in bounties in the past.

The amounts below are listed in US dollars, but we only pay bounties in Bitcoin.

Reference bounty amounts

The bounty amount varies depending on what the vulnerability allows you to do:

• $50 000: If you can access any user's PMs arbitrarily, without any interaction from the user, and without any secret data such as user passwords.
• $20 000: If you can access any arbitrary user's email address (if set hidden), password hash, viewed-topics log, or IP log; without any interaction from the user, and without any secret data such as user passwords. If you already have an email address, matching it to a user is not a bug.
• $10 000: If you can make undetectable edits to arbitrary posts or PMs. Compromising a moderator account doesn't count.
• $2 000: If you can send a user a link, and if they click on it then you will be able to gain access to their account automatically, without any further action from them aside from just visiting one link. Phishing sites don't count; it has to be some sort of CSRF-type attack. You can't assume that you have any secret data about the user such as their session cookie.
• $2 000: If a regular user without any special permissions can persistently inject JavaScript into a page. If you need a more privileged user, the award amount is halved, and there is no award if you need an administrator account.
• $1 000: If you can move or delete a post that you are not supposed to be able to.

If your bug allows you to do multiple things at once, then you only get the highest applicable award. If you send us multiple bugs which would be worth over $200 000 in total in a 1-year period, we reserve the right to cap your payment to $200k; beyond this point, you should confirm with us in advance that we will pay for more bugs.

We may consider awards for other types of security bugs not listed above, and for security issues that are not software bugs, at our discretion. However, you should not expect any payment for non-security issues. We also don't typically give awards for denial-of-service issues. If a bug doesn't quite neatly fall into an above category, then we will probably pay an amount which seems appropriate, at our discretion; for example, if you can access the IP addresses of 10% of users due to something special about those users, perhaps we would pay half of the $20k bounty.

If you can compromise one or even many accounts due to something that is primarily the user's fault, such as them using a weak password or a disposable email service, then that is not generally eligible for an award, even if you might be able to say that bitcointalk.org could implement measures to mitigate the attack.

We would like to establish a reputation for paying fair, reasonable amounts for useful reports, not for rule-lawyering and nickel-and-diming people, but whether and how much we pay is always at our sole discretion.

Requirements

• You must report the bug to the bugs email address listed on the contact page. You must not publish it elsewhere or share it with anyone else.
• Your report must be immediately actionable and a solvable problem with bitcointalk.org. If your report is so vague that we would have to hire someone to even determine if your bug actually exists, then it's no good. If we cannot look at the code and see the bug in less than an hour, then generally you will need to have a proof-of-concept. You need to convince us that we need to fix something; if you fail to convince us, then you will not get an award, even if the vulnerability is later exploited.
• Only the first person who tells us about a vulnerability (and convinces us that it exists) gets the award.
• If your testing of the vulnerability causes significant disruption, your award may be reduced or eliminated.
• In some cases, some personal information may be required for tax reasons.