Bitcoin Forum

In this topic I would like to make an overview of (all) vulnerability reward programs within the bitcoin community (and/or programs with bitcoin rewards.) If you are aware of a security bounty which is not yet listed, please share it with us :)

Not allowed on probably all websites:

• DDoS / DoS
• Using automated software (including brute forcing)
• Sharing the vulnerabilities without disclose first (some do allow after fix)
• Exploit the vulnerability in a malicious way / steal private info / etc

Make sure to read the specific terms for each program first !!

Bitcoin related websites
Website	Bitcointalk topic	Platform	Reward in bitcoins	Since
bitcointalk (https://bitcointalk.org/index.php?topic=309785.0)	#309785 (https://bitcointalk.org/index.php?topic=309785.0)	nginx/PHP/MySQL/SMF	BTC0.2 - BTC20 (based on XAU)	10-2013
kraken.com (https://www.kraken.com/security/bug-bounty)	#166828 (https://bitcointalk.org/index.php?topic=166828.0),#290799 (https://bitcointalk.org/index.php?topic=290799.0)	..	BTC1+	04-2013
pikapay.com (https://www.pikapay.com/bitcoin-bounty/)	#154465 (https://bitcointalk.org/index.php?topic=154465),#290111 (https://bitcointalk.org/index.php?topic=290111), #476909 (https://bitcointalk.org/index.php?topic=476909)	..	BTC0.001-BTC100	03-2013
coinbase.com (https://coinbase.com/whitehat)		..	$1000+	2013
coindrawer.com (https://www.coindrawer.com/whitehat/)		..	..	2013
coinkite.com (https://coinkite.com/faq/responsible-disclosure)		..	BTC0.25+	2013
coinx.com (https://www.coinx.com/Coinx/BagOurBugs)		..	..	2013
rugatu.com (http://www.rugatu.com/questions/6115/can-you-find-some-bugs)		Django/OSQA	BTC0.001-BTC2	01-2013
netagio.com (http://netagio.com/bug-bounty-programme)		.NET	BTC1+
bitcoin.de (https://www.bitcoin.de/en/bug-bounty)		..	..	01-2014
bittrex.com (https://bittrex.com/Home/Bounty)	#463202 (https://bitcointalk.org/index.php?topic=463202.0)	..	BTC0.01-BTC10	02-2014
btxtrader.com (https://www.btxtrader.com/bugbounty.html)		..	...	2013
localbitcoins.com (https://localbitcoins.com/whitehat)		Django	$1.000+	03-2014
okcoin.com (http://www.reddit.com/r/Bitcoin/comments/232fze/okcoin_white_hat_promotion_win_anywhere_from/)			BTC1-BTC100	04-2014
counterparty.co (https://www.counterparty.co/resources/bug-bounty-program/)			$20-$2000 (in BTC/XCP)	03-2014
coinpunk.com (https://github.com/kyledrake/coinpunk/blob/master/docs/H4XX0RZ.md)		Node.js	$100+	01-2014
masterxchange.com (https://masterxchange.com/bounty.php)		..	BTC0.2-BTC2+	01-2014
rtbtc.com(ZeroBlock) (https://rtbtc.com/support/security/)		..	..	2014
Non-BTC related sites with BTC reward
Website		Platform	Reward in bitcoins	Since
launchkey.com (https://launchkey.com/whitehat)		..	$200+	2013
polarssl.org (https://polarssl.org/website-bug-bounty-program)			€50+
whmcs.com (http://www.whmcs.com/security-bounty-program/)			$250-$5000

* all websites are linked to the program info because you should read the terms first
** the "since" date is NOT the date since the site exists, but an estimation since when the bounty reward was officially announced in public
*** I am not vouching for any of these programs, your "time investment" is your own risk


Please share other websites that are running security bounties for bitcoin rewards. You may also share your experience with any of these programs. Have fun with hacking and be responsible :)

Are you a website owner?
If you own a website, consider running a vulnerability reward program too! This way your website will be more secure and there is a much bigger chance that a whitehat (non-harmful) hacker helps you with the security instead of a blackhat hacker who abuses vulnerabilities. Look at these example websites for information how to run a program like that. Making a page on your site + topic here should be enough.

This is going to keep me busy for a while, at work :p
Thanks for sharing.

You are welcome.

I only know these programs since a few days but already found 4 vulnerabilities in 3 different sites (non very crucial, mostly XSS) but definitely having fun, still learning new things and getting some bounties :)

So... no "other hackers" here ? ::)

It's a really helpful effort, probably deserves to be stuck/pinned.

Thanks :)

Even today I read that Flexcoin (http://www.flexcoin.com/) got hacked, 896 BTC stolen, site closing down. Also today: BTC Stolen from Poloniex (https://bitcointalk.org/index.php?topic=499580.0). If there are site owners reading this, please consider adding a security bug bounty before it's too late and a hacker abuses any bugs !! Better pay a whitehat security specialist 1 BTC than losing it all.

There are not that many replies in my topic.. so I guess there are not that many "security specialists" here :P so that would be a reason to not pin it. However I do think this is very important and a really effective way of making bitcoin sites more secure. Especially in a time where bitcoin sites still get hacked every day. So from that perspective any more exposure to this topic is good :)

I have added bitcoin.de to the list, see: https://www.bitcoin.de/en/bug-bounty This program has been running since (late?) January but I didn't notice it yet. They say "We will reward your effort at Bitcoin.de. The rate depends on the size and relevance of the safety leaks. ".

Also added bittrex.com, running since 2 weeks only, see: https://bittrex.com/Home/Bounty reward between BTC0.01 and BTC10

2 more added: btxtrader.com and whmcs.com. whmcs.com is not a bitcoin related website but they say "Rewards can be paid out via PayPal, BitCoin, or Western Union" between $250 up to $5000.

If anyone knows any other big bounty program within the BTC community, let us know :)

Great to see that localbitcoins.com also added a bug bounty program: https://localbitcoins.com/whitehat AFAIK, This program has been there only for a few days.. so if there are any security vulnerabilities, you can still be the first to report :)

$1.000+ in bitcoin for reporting a previously unknown security vulnerability of sufficient severity.

Only running their program since 1 day: poloniex.com, up to BTC2 see for more details: https://www.crowdcurity.com/users/poloniex/programs/poloniex-1de59

Added prelude.io > https://www.crowdcurity.com/users/moolah/programs/prelude-by-moolah Rewards: $50 - $600+ , running since 3 days only.

Added btcvid.net > https://www.crowdcurity.com/users/btcvid/programs/btcvid get up to 1 Bitcoin, running since 8 days.

Added bit2c.co.il > https://www.crowdcurity.com/users/bit2c/programs/bit2c $100 - $1000+, program since 17 days.


crowdcurity.com changed privacy settings of earlier programs which means I can share them here in public too, so added some other programs too.

Total of 29 bug bounty programs for bitcoins now :)

Found a legit XSS bug on spendbitcoins.com (that could be used to steal someone's session etc), reported it, was fixed 1 day later, no reply, 1 month later I asked crowdcurity why it took so long, another 1 week later I got a reply from spendbitcoins.com saying "they cannot replicate it". So they fix the bug in 1 day, then reply 1 month later that they cannot replicate it. Seems like a cheap way to run a bounty program.

So be careful with the program of spendbitcoins. I asked CrowdCurity and they said "business have the final call in these matters" so isn't much of a help either. So my recommendation would be to be careful with all the programs that CrowdCurity runs.

Hi all,

Esben from CrowdCurity here. First of all I want to say thanks to NLNICO for maintaining this nice list. Secondly I would like to add a comment to the spendbitcoins.com case. I understand that it can be frustrating from a tester's perspective when a potential vulnerability is rejected by the site owner. However allow me to provide some general insight to how CrowdCurity works - which might help clarify the matter.

CrowdCurity is a marketplace for bug bounty programs. I.e. we enable businesses to to connect with security researchers.
 
Currently the platform allows for the business to give feedback to the tester, and just like any other bug bounty program you would find on the web, it is the business who decides what is eligible for a reward. In cases where a researcher can present proof of any misuse of the platform by the business, we will try our very best to mitigate and in worst case stop the bug bounty program. However we don't want to be the judge on specific vulns but rather want to build in features that allows for the community to sort potentially issues via ratings and feedback mechanisms.

We are currently building features that will allow researchers to provide feedback to the business and raise flags to warn other testers of a specific business conduct. This will be done in order to create a platform where both businesses and researchers can improve based on the feedback that they get. Basically we are looking for a bottom-up solution rather than us being the judge on potential conflicts.

Once again we want to thank the security community for using our platform and helping improve the overall security for bitcoin businesses.

- Esben

NP.

My name is NLNico though.

Currently security researchers can submit a vulnerability and the program can basically say "no fuck off" and reject it, and there won't be any way to even reply to that.


I hope these features can be built quick as I think it's really needed. Especially if you imply to be "a marketplace only". If it's "a marketplace only" there should be a way for the researcher to contact the business.




Besides that I do think the concept of your website is great so I will def keep updating my list with the programs on your website too.

Added okcoin.com > http://www.reddit.com/r/Bitcoin/comments/232fze/okcoin_white_hat_promotion_win_anywhere_from/ - https://www.okcoin.com/t-1008270.html

Reward: BTC1-BTC100

A blog post with some mixed feelings (mostly complaints I guess) about the coindrawer.com program: http://blog.justinsteven.com/posts/2014/04/17/coindrawer-bug-bounty-program/ Decent read.

Added coinnext.com > https://www.crowdcurity.com/coinnext/coinnext-f0019 Program running since 5 days. Reward: BTC0.05 - BTC1+

Also added counterparty.co ($20-$2000) and coinpunk.com ($100+), they have been running for few months though.

Added masterchain.info, blockchain.info and quadrigacx.com

Blockchain.info already rewarded security researchers unofficially, but now they have partnered up with CrowdCurity.

Thanks for sharing, it is excellent way to earn some extra BTC and learn more about site vulnerability

I found a hole in this system, a small hole

Op, you should update this thread as many of the programs are not live, some of the exchanges have even stopped. One program you can add is Facebook which also has bitcoin as one of the payment options now. Hackerone also this as one of the payment options so it applies to all programs listed there like Twitter, Uber and Yahoo.

I think we would need to do the legwork and find out which new bounties are open and update the current list.

I might have a look and start a new thread as this is very interesting to me for who has funds to dedicate to finding and resolving such issues.

Fuzzybear