Security bounties?

[NLNico]

Hi,

Bitcointalk/theymos always put a high priority on security/privacy and even has security bounties which are almost equivalent of PP/FB. I think that is important considering a lot of (prominent) bitcoin users hang out on a place like such forum.

My question: does bitcoin.com offer bounties for security vulnerabilities too? (on either the site/forum/wiki/etc?) If so: what kind of reward can one think of? And last, but not least, who to contact in such situation?

Basically I suggest for some clarity about that and potentially an "official" bug bounty program to ensure the security of the site.

Regards,
Nico

[avgeca]

I second that proposal!

[NLNico]

:)

Hope Roger and/or admin can reply to this. I am really curious who to contact if I find a security vulnerability and if I can expect some reward for it.. Thanks.

[BitcoinXio]

I can't speak for the admins, but I am all for this idea. If the admins want to help crowd-fund a security bounty and put up a bitcoin address (multisig maybe?), I will contribute some bitcoins to the address to help fund it.

[LiteCoinGuy]

i like this idea and support it

[rogerver]

I'm not a security expert.
Should I just clone the exact same reward structure from Bitcointalk.org ?

[NLNico]

As a security researcher, I would like that.. since theymos made them pretty high :x ;)



It's important to realize bitcointalk uses XAU, which means currently it ranges between 0.255 and 25.5 BTC depending on severity. I have to be honest that this is pretty big and smaller rewards seems fair to me too (especially since bitcoin.com is just starting and therefore the impact of a security bug would be realistically smaller.)


To give some other examples of bug bounty programs..

blockchain.info uses:
High: $1,600+ (would be the levels: Root, Arbitrary DB writing, Obtaining arbitrary PMs or password hashes on btctalk)
Medium: $400 (would be Persistent script injection and some CSRF/non-persistent XSS probably)
Low: $100 (lower impact, realistically barely/no "damage")

bitgo uses:
High: $1,000+ (do note they always say "+", if you find something to steal all their bitcoins obviously they will reward much more)
Medium: $250
Low: $100

LocalBitcoins uses:
High: $1,000+
Medium: $300
Low: $50

etc.


So I don't think it has to be as specific as bitcointalk (although I do appreciate that transparency from theymos - if you report a bug you know in advance exactly how much it will be) and probably more like the 3 other examples. Still in the background you would probably rate the severity somewhat like bitcointalk (since it's also a forum with same security priorities like keeping password-hashes and PMs safe.)

Either way just stating you have a bug bounty at all, ranging from $x to $x for real security vulnerabilities will be a start :) (with some contact info, and potentially some "rules"/"out-of-scope" like all examples have.) Normally the security researcher who reports it, should tell you why it is an important bug to fix too. And then you can probably discuss the real severity/impact with your developers to come up with a bounty for it. (Only important that your developers realize that although most bugs take seconds/minutes to fix, rewards should not be based on that but on severity/impact.)




Ps, I will just start searching through the phpBB source now since you seem to be interested in at least giving some reward and I enjoy searching stuff like this :) If I do happen to find something.. should I contact you, rogerver?