Responsible Disclosure
We encourage responsible disclosure of security vulnerabilities, and we will pay an appropriate amount for eligible bugs. Bitcoin Reserve reserves the right to decide if the bug is real and serious enough to receive any bounty.
Requirements
- Reasonable amount of time for us to review and fix the issue before you publish it.
- Good faith and best effort not to leak or destroy any user data or our data.
- Do not defraud our users or us in the process of discovery.
Eligiblity
Bitcoin Reserve reserves the right to decide if the bug is real and serious enough to receive any bounty. In general, the following class of issues are not eligible for a bounty:
- Denial of service attacks
- Email or service rate limiting or spamming
- Email header forging
- DMARC settings
- Clickjacking
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- No Captcha / Weak Captcha / Captcha Bypass
- Missing HTTP security headers
- DNSSEC Findings
- CSRF on forms that are available to anonymous users (e.g. login or contact form)
- Logout / Login Cross-Site Request Forgery (CSRF)
How to disclose an issue
Email security @ bitcoinreserve.com with the following information:
- Your name and physical address
- Detailed description of the bug
- Bitcoin address for the bounty payout (if eligible)
NOTE: At this time we only send out bounty payments in Bitcoin. We do not support bounty payments on any traditional fiat rails like paypal, credit card etc.