Some services take security more seriously than others

[LiteCoinGuy]

(from reddit)

Some services take security more seriously than others

As a white-hat hacker with 6 years of pen-testing experience I want to give the /r/bitcoin community a security tip: Use services that offer large bug-bounties, as a general rule this means that they take security more seriously.

-Blockchain.info: security bounty: 50mBTC minimum - 1BTC maximum (Edit: Blockchain.info PMed me and said that    they pay more than 1BTC regularly, and asked me to update the post.)
-Coinbase.com: security bounty: $1000 minimum - no maximum
-Circle.com: security bounty: $50 minimum - $1000 Max
-Bitpay: security bounty: $0
-Coinkite: security bounty: 250mBTC minimum - no maximum

Can you tell who takes security the most seriously?

Any web-wallet should expect to have security issues, and they should realize that hackers will find them before they do. Case and point:

    Joehoe managed to save 520+ bitcoins in the last week from blockchain.info blunders. Blockchain.info should reward Joehoe handsomly for his heroism.
    I disclosed a security bug to bitpay yesterday that made Copay on Android 100% insecure. (The issue has since been fixed. My disclosure to bitpay was paid exactly $0. I won't spend my time pen-testing for bitpay in the future.)

TL,DR; Web wallets will have bugs, hackers will find them, bitcoin companies should take security seriously.

*Edit: Was accused of being a coinbase shill, want to make it clear that I am not. I was just very irritated with BitPay. I still recommend bitpay over coinbase to merchants who need a POS bitcoin solution with USD settlement, because coinbase charges a 1% fee. I actually use Circle, not Coinbase, to buy most of my bitcoin because its instant. I never keep more than $10 in Coinbase because I like to control my own private keys. My main wallet is Electrum on an air-gapped PC, and paper wallets with BIP 38 for long-term storage. So I'm in no way pumping Coinbase. I actually dislike Coinbase's very pro-regulation stance, and I hate their practice of snooping on people's memos and freezing funds until people submit ID. You can check my post history to verify that I did indeed discover a serious bug in CoPay within hours of its release.

EDIT 2: Please see Copay Lead Developer response here: http://www.reddit.com/r/Bitcoin/comments/2panwn/psa_some_services_take_security_more_seriously/cmv7p7b


http://de.reddit.com/r/Bitcoin/comments/2panwn/psa_some_services_take_security_more_seriously/





->Shame on you bitpay (and all others who dont pay a fucking satoshi for bug-hunting).

[SirChiko]

Well they will maybe change their mind if some exploit comes up and fucks up their bussniess.

[cr1776]

Well they will maybe change their mind if when some exploit comes up and fucks up their bussniess.

FTFY. lol

[pawel7777]

Maybe he would be better off by reporting BitPay's bug to Coinbase 

But seriously, the support's reply is just below any standards. "Thanks for reporting critical bug and saving our asses. Now fuck off".

[SirChiko]

Well they will maybe change their mind if when some exploit comes up and fucks up their bussniess.

FTFY. lol

Valid point, thanks for correcting me.

[LiteCoinGuy]

Maybe he would be better off by reporting BitPay's bug to Coinbase  

But seriously, the support's reply is just below any standards. "Thanks for reporting critical bug and saving our asses. Now fuck off".

they (bitpay in this case) make so much money and when somebody reports a critical bug and all he gets is a "thank you" ?

are you fucking kidding me?!    

[Sindelar1938]

Yeah, I use blockchain.info. Having serious doubts about them now. maybe I should move to another service

[Q7]

The least that they could do is to send a small token of appreciation. After reading this article, I know which exchangers take security seriously. Obviously those which offer no bounty are just being complacent? Imagine the loss that they would incur if those security bugs get exploited by other hackers

[pawel7777]

Maybe he would be better off by reporting BitPay's bug to Coinbase  

But seriously, the support's reply is just below any standards. "Thanks for reporting critical bug and saving our asses. Now fuck off".

they (bitpay in this case) make so much money and when somebody reports a critical bug and all he gets is a "thank you" ?

are you fucking kidding me?!    

Well, to be perfectly fair to BitPay, they also offered their "Warm regards" - surely worth more than lousy $1000 from Coinbase or others.

[MJK]

Say what you want about the recent blockchain.info trouble but at least they can be trusted to make amends and reimburse customers lost funds. Can't really say that for many other web wallets, and their bounty program gives me more faith.

[DooMAD]

Anyone trusting a third party to look after their money isn't taking their security seriously enough.  If you have money stored online, you are part of the problem.  You are asking to be the next negative headline about Bitcoin in the media.  Cut that shit out already.

Bitcoin is peer-to-peer money, please learn how to use it correctly.

[LiteCoinGuy]

Anyone trusting a third party to look after their money isn't taking their security seriously enough.  If you have money stored online, you are part of the problem.  You are asking to be the next negative headline about Bitcoin in the media.  Cut that shit out already.

Bitcoin is peer-to-peer money, please learn how to use it correctly.

unfortunately thats not the way we will reach the mainstream  .