PikaPay.com Vulnerability Bounty ProgramReward payouts from between 0.001 and 100
BTC for reporting security vulnerabilities.
We invite security specialists and the community at large to participate in our bug rewards program.
One of the keys to the widespread adoption of Bitcoin is security.
Together we can redefine the future of online cash by making Bitcoin easy and safe enough for anyone to use. Help us improve privacy and security and bring the benefits of Bitcoin to everyone.
To take part in this hacking competition, please read the program guidelines here.
Forum members are also welcome to participate in our beta test. See details below.If you want to make feature requests or any other suggestions, mail them to
[email protected].
The Bounty ProgramSummary, or How to Participate in 3 Easy Steps
First, sign in to PikaPay's mobile web application via
pikapay.comSecond, refer below to the terms of the reward program.
Third, if you believe you have discovered a bug or vulnerability in PikaPay or have encountered a security incident, report it to
[email protected].
BackgroundPikaPay: A system for exchanging virtual currency using open source technology and social media.We launched the first Bitcoin to Twitter application, a tipping system, more than 18 months ago. We are now opening our Twitter payment service, PikaPay, to an invitation-only beta program. Visit PikaPay.com to request an invitation, or use
PikaPay.com to just start testing immediately.
The PikaPay Security Team will maintain a bounty program to encourage security investigation that can be used to benefit the Bitcoin community.
ScopeAny web services operated by PikaPay are considered in scope for this program.
The following list of bugs will likely qualify for a reward:
Any fault in PikaPay services that substantially compromises the integrity or confidentiality of user data. Some examples that fall into this category:
- Authentication and authorization mechanism faults;
- Command injection bugs;
- Cross-site scripting, cross-site script inclusion and cross-site request forgery;
- Mixed scripting; and
- Server-side code execution.
Some examples that do not merit a reward:
- Application of SEO tactics;
- Attacks on physical facilities or PikaPay infrastructure;
- Brute force denial of service faults;
- Involvement of social engineering;
- Vulnerabilities in non web applications and in services operated by third parties.
There are also exceptional cases -- such as bugs that are repeatable only through the use of out-of-date browsers or plugins -- which will also not qualify for a reward.
For the sake of PikaPay's availability, you are asked to avoid using any tools that create unusual amounts of traffic or conducting any behavior that will disrupt other users.
PayoutsReward payouts range from between 0.001 and 100
BTC. Decisions concerning the rewards are made at PikaPay's sole discretion. For example, PikaPay may elect to pay out higher rewards for the discovery of unusually severe or skillful exploits.
DisclosurePikaPay will cooperate with a coordinated bug disclosure policy, and will make best efforts to respond to vulnerabilities as soon as possible after receiving advance notification. Parties who do not observe this policy or who do not avoid disclosing flaws to third parties will most likely be disqualified from receiving a reward.
Only the first person to report a previously undiscovered vulnerability will qualify for a reward, although smaller bounties may still be given to other contributors.
We plan to acknowledge all significant contributors publicly unless you tell us you prefer to remain anonymous. You can also elect to receive a reward anonymously or to have it paid to a charitable cause of your own choosing. If a reward is not claimed within 30 days, it will be donated to ProjectPika, to support preservation of the pika species.