Bitcoin Forum

I believe I have found a major security flaw in a companies bitcoin system. I am no cryptologist but the flaw is not a technical one, it is more a procedural weakness. I asked if they were aware of a problem related to this and they said no and could I elaborate. There is a small bounty for finding "bugs" but this basically undermines their whole purpose. They are small but do have a lot of press about their new system.  How should I approach the situation.

they should give you a bounty for that and you would have a good feeling too  :)
(+ no police is hunting you  :P )


sounds fair? if they pay nothing, maybe coindesk is interested in this story.

Yeah, I assume they wouldn't want it out there. It could put people at risk.
$100 though....that seems almost like not worth even asking for.

Maybe I should just tell them what the deal is.

if its a big bug, 100 USD is not that much but better than nothing  :)

but i would like to know more about this when the gap is closed  :D

You shouldn't be cash motivated. If they pay you ANYTHING it is still good.
Find real job for your IT skills.

Just write in and tell them. Not everyone is as honest as you and I'm sure you deserve a reward for pointing it out. Imagine the good things you would have done to save all the account holders. Just hate to hear another bad press that seems to relate to and undermine bitcoin security although in the first place it has nothing to do with bitcoin, only the system that handles it

The whole bitcoin is open source. If there is such a major flaw, you should let them know, and by them I mean the devs. It's no good reason to hide it, someday someone else will find it out eventually.

If you really found a security flaw you would be exploiting it, rather than revealing it  :D

The OP title is probably misleading when posted in this sub forum. If you read further you'll see that the security flaw is not in Bitcoin but in the company's procedures.

Seems like he edited his original post after posting  ;D

just let them know they should revise procedure management politics if an issue is not a technical one and get that bounty

Take a look at his sig and you'll know why (I have already given up trying to report them - the mods will actually just reduce your *accuracy* for reporting them - spamming rubbish into every single topic is *perfectly okay* with this forum unfortunately).

Inform them, if the issue is not fixed and users are at risk, go public.

Describe the issue simply and ask for a bounty (dont ask for a lot, just what it could poten. save them if you used the bug). Then explain what happened for you to find the bug.

You are very powerful, can discover the bitcoin problem(bug), we support you, hope you can tell us more about  the details of the bug

I'm just going to tell him. It is so obvious that it must be just hiding in plain sight. When you get so close to something sometimes it is hard to step back and see something obvious.

OR maybe I'm wrong...but I don't think so.

A lot of people are using this system so the better half of me will feel good knowing it will reduce some serious risk.

 :)

OK...issue reported.

Let's see what happens.

It is probably advisable to let them know about the risk. The reward will likely be based on how big their security "hole" was and how much they could potentially lose in the event that someone would have exploited it.

I would certainly disagree that it is not worth asking for $100 if this is an amount that they would owe you. It would only take at most a few minutes to ask at most.

I hope you both realize that by posting that you reported a post, and talking about why someone posted something that makes zero sense you are yourselves posting something that is off topic? You are doing nothing then distracting from the original discussion of the thread

You can go public so that the public would know.