Bitcoin Forum

PikaPay.com (http://PikaPay.com) Vulnerability Bounty Program

Reward payouts from between 0.001 and 100 BTC for reporting security vulnerabilities.

We invite security specialists and the community at large to participate in our bug rewards program.

One of the keys to the widespread adoption of Bitcoin is security.

Together we can redefine the future of online cash by making Bitcoin easy and safe enough for anyone to use.  Help us improve privacy and security and bring the benefits of Bitcoin to everyone.

To take part in this hacking competition, please read the program guidelines here.

Forum members are also welcome to participate in our beta test.  See details below.

If you want to make feature requests or any other suggestions, mail them to hello@pikapay.com.

---

The Bounty Program

Summary, or How to Participate in 3 Easy Steps

First, sign in to PikaPay's mobile web application via pikapay.com (https://pikapay.com)

Second, refer below to the terms of the reward program.

Third, if you believe you have discovered a bug or vulnerability in PikaPay or have encountered a security incident, report it to security@pikapay.com.


Background

PikaPay: A system for exchanging virtual currency using open source technology and social media.

We launched the first Bitcoin to Twitter application, a tipping system, more than 18 months ago.  We are now opening our Twitter payment service, PikaPay, to an invitation-only beta program.  Visit PikaPay.com to request an invitation, or use PikaPay.com (https://PikaPay.com) to just start testing immediately.

The PikaPay Security Team will maintain a bounty program to encourage security investigation that can be used to benefit the Bitcoin community.

Scope

Any web services operated by PikaPay are considered in scope for this program.

The following list of bugs will likely qualify for a reward:

Any fault in PikaPay services that substantially compromises the integrity or confidentiality of user data.  Some examples that fall into this category:

• Authentication and authorization mechanism faults;
• Command injection bugs;
• Cross-site scripting, cross-site script inclusion and cross-site request forgery;
• Mixed scripting; and
• Server-side code execution.

Some examples that do not merit a reward:

• Application of SEO tactics;
• Attacks on physical facilities or PikaPay infrastructure;
• Brute force denial of service faults;
• Involvement of social engineering;
• Vulnerabilities in non web applications and in services operated by third parties.

There are also exceptional cases -- such as bugs that are repeatable only through the use of out-of-date browsers or plugins -- which will also not qualify for a reward.

For the sake of PikaPay's availability, you are asked to avoid using any tools that create unusual amounts of traffic or conducting any behavior that will disrupt other users.

Payouts

Reward payouts range from between 0.001 and 100 BTC. Decisions concerning the rewards are made at PikaPay's sole discretion.  For example, PikaPay may elect to pay out higher rewards for the discovery of unusually severe or skillful exploits.

Disclosure

PikaPay will cooperate with a coordinated bug disclosure policy, and will make best efforts to respond to vulnerabilities as soon as possible after receiving advance notification.  Parties who do not observe this policy or who do not avoid disclosing flaws to third parties will most likely be disqualified from receiving a reward.

Only the first person to report a previously undiscovered vulnerability will qualify for a reward, although smaller bounties may still be given to other contributors.

We plan to acknowledge all significant contributors publicly unless you tell us you prefer to remain anonymous.  You can also elect to receive a reward anonymously or to have it paid to a charitable cause of your own choosing.  If a reward is not claimed within 30 days, it will be donated to ProjectPika, to support preservation of the pika species.

Update

Thanks to everyone for the excellent feedback in the first week of this program.  We've already privately acknowledged the submissions we've received so far.  Some are eligible for bounties.

We plan to release a preliminary report of our findings very soon -- just watch this space.

In the meantime, we look forward to reports of new vulnerabilities and ZTs:  security@pikapay.com


Beta Test

Forum members interested in taking PikaPay for any early test drive, mail hello@pikapay.com or ask @PikaPay for #bitcoin if you'd like to get an invite.

Two Updates

First, a reward has been paid for the lone vulnerability discovered back in March.  The Bounty Program continues for interested parties.

Second, please see https://bitcointalk.org/index.php?topic=197295.msg2052985#msg2052985 (https://bitcointalk.org/index.php?topic=197295.msg2052985#msg2052985) for the latest developments on PikaPay's new Bitcoin API.

Sent in my first of (hopefully) many!

Cheers!

We've just now announced payout for two vulnerabilities and a third unofficial bounty.

For details see http://j.mp/1bcgQ5O

Update 8 September 2013

We've just now announced payout for reports submitted since July.

https://bitcointalk.org/index.php?topic=290111.new#new

Update

Instructions

With all reports you submit, please provide direct, specific (not theoretical) evidence of the vulnerability, including exact steps to reproduce it.
We require a written step-by-step explanation of how your reported issue can actually be exploited.

The specificity, completeness and clarity of your communication will be taken into account in evaluating the severity of your reported vulnerability for a possible bounty.

We value all contributions but are specifically looking for reports that can demonstrate a very specific viable vulnerability with respect to our application much more than a general or theoretical finding.  The latter is also appreciated but may not be evaluated the same way.


Acknowledgements

All acknowledgements will be publicly reported to BitcoinTalk.

With every submission please include your Bitcoin address or your Twitter Name for possible payment.

If you would like to be publicly acknowledged for your findings please also let us know if there is a preferred name you would want us to use in the announcement.