NLNico (OP)
Legendary
Offline
Activity: 1876
Merit: 1295
DiceSites.com owner
|
|
February 23, 2014, 02:22:29 PM Last edit: December 15, 2014, 05:06:31 AM by NLNico Merited by vapourminer (2) |
|
In this topic I would like to make an overview of (all) vulnerability reward programs within the bitcoin community (and/or programs with bitcoin rewards.) If you are aware of a security bounty which is not yet listed, please share it with us Not allowed on probably all websites: - DDoS / DoS
- Using automated software (including brute forcing)
- Sharing the vulnerabilities without disclose first (some do allow after fix)
- Exploit the vulnerability in a malicious way / steal private info / etc
Make sure to read the specific terms for each program first !! * all websites are linked to the program info because you should read the terms first** the "since" date is NOT the date since the site exists, but an estimation since when the bounty reward was officially announced in public*** I am not vouching for any of these programs, your "time investment" is your own riskPlease share other websites that are running security bounties for bitcoin rewards. You may also share your experience with any of these programs. Have fun with hacking and be responsible Are you a website owner?If you own a website, consider running a vulnerability reward program too! This way your website will be more secure and there is a much bigger chance that a whitehat (non-harmful) hacker helps you with the security instead of a blackhat hacker who abuses vulnerabilities. Look at these example websites for information how to run a program like that. Making a page on your site + topic here should be enough.
|
|
|
|
Sydboy
|
|
February 23, 2014, 03:55:42 PM |
|
This is going to keep me busy for a while, at work :p Thanks for sharing.
|
|
|
|
NLNico (OP)
Legendary
Offline
Activity: 1876
Merit: 1295
DiceSites.com owner
|
|
February 24, 2014, 01:56:57 PM |
|
You are welcome. I only know these programs since a few days but already found 4 vulnerabilities in 3 different sites (non very crucial, mostly XSS) but definitely having fun, still learning new things and getting some bounties
|
|
|
|
NLNico (OP)
Legendary
Offline
Activity: 1876
Merit: 1295
DiceSites.com owner
|
|
February 26, 2014, 04:38:20 PM |
|
So... no "other hackers" here ?
|
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2114
Merit: 1040
A Great Time to Start Something!
|
|
March 03, 2014, 09:12:50 PM |
|
It's a really helpful effort, probably deserves to be stuck/pinned.
|
|
|
|
NLNico (OP)
Legendary
Offline
Activity: 1876
Merit: 1295
DiceSites.com owner
|
|
March 04, 2014, 02:20:36 PM Last edit: March 04, 2014, 02:38:37 PM by NLNico |
|
Thanks Even today I read that Flexcoin got hacked, 896 BTC stolen, site closing down. Also today: BTC Stolen from Poloniex. If there are site owners reading this, please consider adding a security bug bounty before it's too late and a hacker abuses any bugs !! Better pay a whitehat security specialist 1 BTC than losing it all. There are not that many replies in my topic.. so I guess there are not that many "security specialists" here so that would be a reason to not pin it. However I do think this is very important and a really effective way of making bitcoin sites more secure. Especially in a time where bitcoin sites still get hacked every day. So from that perspective any more exposure to this topic is good
|
|
|
|
NLNico (OP)
Legendary
Offline
Activity: 1876
Merit: 1295
DiceSites.com owner
|
|
March 05, 2014, 10:11:40 PM Last edit: March 05, 2014, 11:28:59 PM by NLNico |
|
I have added bitcoin.de to the list, see: https://www.bitcoin.de/en/bug-bounty This program has been running since (late?) January but I didn't notice it yet. They say " We will reward your effort at Bitcoin.de. The rate depends on the size and relevance of the safety leaks. ". Also added bittrex.com, running since 2 weeks only, see: https://bittrex.com/Home/Bounty reward between BTC0.01 and BTC10 2 more added: btxtrader.com and whmcs.com. whmcs.com is not a bitcoin related website but they say " Rewards can be paid out via PayPal, BitCoin, or Western Union" between $250 up to $5000. If anyone knows any other big bounty program within the BTC community, let us know
|
|
|
|
NLNico (OP)
Legendary
Offline
Activity: 1876
Merit: 1295
DiceSites.com owner
|
|
March 09, 2014, 08:20:54 PM |
|
Great to see that localbitcoins.com also added a bug bounty program: https://localbitcoins.com/whitehat AFAIK, This program has been there only for a few days.. so if there are any security vulnerabilities, you can still be the first to report $1.000+ in bitcoin for reporting a previously unknown security vulnerability of sufficient severity.
|
|
|
|
|
|
|
NLNico (OP)
Legendary
Offline
Activity: 1876
Merit: 1295
DiceSites.com owner
|
|
March 31, 2014, 05:46:44 AM |
|
Found a legit XSS bug on spendbitcoins.com (that could be used to steal someone's session etc), reported it, was fixed 1 day later, no reply, 1 month later I asked crowdcurity why it took so long, another 1 week later I got a reply from spendbitcoins.com saying "they cannot replicate it". So they fix the bug in 1 day, then reply 1 month later that they cannot replicate it. Seems like a cheap way to run a bounty program.
So be careful with the program of spendbitcoins. I asked CrowdCurity and they said "business have the final call in these matters" so isn't much of a help either. So my recommendation would be to be careful with all the programs that CrowdCurity runs.
|
|
|
|
Esben
Newbie
Offline
Activity: 2
Merit: 0
|
|
April 02, 2014, 04:26:59 AM Last edit: June 10, 2014, 09:07:43 PM by Esben |
|
Hi all,
Esben from CrowdCurity here. First of all I want to say thanks to NLNICO for maintaining this nice list. Secondly I would like to add a comment to the spendbitcoins.com case. I understand that it can be frustrating from a tester's perspective when a potential vulnerability is rejected by the site owner. However allow me to provide some general insight to how CrowdCurity works - which might help clarify the matter.
CrowdCurity is a marketplace for bug bounty programs. I.e. we enable businesses to to connect with security researchers. Currently the platform allows for the business to give feedback to the tester, and just like any other bug bounty program you would find on the web, it is the business who decides what is eligible for a reward. In cases where a researcher can present proof of any misuse of the platform by the business, we will try our very best to mitigate and in worst case stop the bug bounty program. However we don't want to be the judge on specific vulns but rather want to build in features that allows for the community to sort potentially issues via ratings and feedback mechanisms.
We are currently building features that will allow researchers to provide feedback to the business and raise flags to warn other testers of a specific business conduct. This will be done in order to create a platform where both businesses and researchers can improve based on the feedback that they get. Basically we are looking for a bottom-up solution rather than us being the judge on potential conflicts.
Once again we want to thank the security community for using our platform and helping improve the overall security for bitcoin businesses.
- Esben
|
|
|
|
NLNico (OP)
Legendary
Offline
Activity: 1876
Merit: 1295
DiceSites.com owner
|
|
April 15, 2014, 08:27:52 AM |
|
thanks to NIKONL for maintaining this nice list NP. My name is NLNico though. CrowdCurity is a marketplace for bug bounty programs. Currently security researchers can submit a vulnerability and the program can basically say "no fuck off" and reject it, and there won't be any way to even reply to that. However we don't want to be the judge on specific vulns but rather want to build in features that allows for the community to sort potentially issues via ratings and feedback mechanisms. I hope these features can be built quick as I think it's really needed. Especially if you imply to be "a marketplace only". If it's "a marketplace only" there should be a way for the researcher to contact the business. Besides that I do think the concept of your website is great so I will def keep updating my list with the programs on your website too.
|
|
|
|
NLNico (OP)
Legendary
Offline
Activity: 1876
Merit: 1295
DiceSites.com owner
|
|
April 16, 2014, 01:01:37 PM |
|
|
|
|
|
|
NLNico (OP)
Legendary
Offline
Activity: 1876
Merit: 1295
DiceSites.com owner
|
|
May 13, 2014, 02:18:28 AM Last edit: May 13, 2014, 02:46:35 AM by NLNico |
|
Added coinnext.com > https://www.crowdcurity.com/coinnext/coinnext-f0019 Program running since 5 days. Reward: BTC0.05 - BTC1+ Also added counterparty.co ($20-$2000) and coinpunk.com ($100+), they have been running for few months though.
|
|
|
|
NLNico (OP)
Legendary
Offline
Activity: 1876
Merit: 1295
DiceSites.com owner
|
|
June 08, 2014, 02:57:20 AM |
|
Added masterchain.info, blockchain.info and quadrigacx.com
Blockchain.info already rewarded security researchers unofficially, but now they have partnered up with CrowdCurity.
|
|
|
|
zahra4571
|
|
August 12, 2014, 08:41:30 PM |
|
Thanks for sharing, it is excellent way to earn some extra BTC and learn more about site vulnerability
|
|
|
|
bichphuong
Newbie
Offline
Activity: 224
Merit: 0
|
|
April 07, 2018, 04:23:16 PM |
|
I found a hole in this system, a small hole
|
|
|
|
|