Responsible Disclosure

We encourage responsible disclosure of security vulnerabilities, and we will pay an appropriate amount for eligible bugs. Bitcoin Reserve reserves the right to decide if the bug is real and serious enough to receive any bounty.

Requirements

  • Reasonable amount of time for us to review and fix the issue before you publish it.
  • Good faith and best effort not to leak or destroy any user data or our data.
  • Do not defraud our users or us in the process of discovery.

Eligiblity

Bitcoin Reserve reserves the right to decide if the bug is real and serious enough to receive any bounty. In general, the following class of issues are not eligible for a bounty:

  • Denial of service attacks
  • Email or service rate limiting or spamming
  • Email header forging
  • DMARC settings
  • Clickjacking
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • No Captcha / Weak Captcha / Captcha Bypass
  • Missing HTTP security headers
  • DNSSEC Findings
  • CSRF on forms that are available to anonymous users (e.g. login or contact form)
  • Logout / Login Cross-Site Request Forgery (CSRF)

How to disclose an issue

Email security @ bitcoinreserve.com with the following information:

  • Your name and contact information
  • Detailed description of the bug
  • Bitcoin address for the bounty payout (if eligible)