PikaPay's vulnerability bounty program continues.Many of the valuable contributions you've sent in are inspiring and keep us moving forward!
We believe security is one of the keys to bringing the benefits of Bitcoin to everyone. To that end we hereby gratefully acknowledge the issues reported and
resolved since we made our last acknowledgements on 14 July.
* URL validation error involving OAuth Redirect
Reported by Charlie Briggs
* Session expiration error on logout
Reported by Satish Bommisetty
* Clever social engineering exploit via parameter variable manipulation
Reported by Ben Holden-Crowther
* Force logout exploit
Reported by Nitesh Shilpkar
* Cookie was found that required secure + HTTP only flags
Reported by Shubham Raj
Each of the issues listed here qualified for a bounty to the individual who first reported them. Each issue has been carefully investigated and resolved.
We are very grateful to the security researchers who spotted them.
We see security as a project that requires continuous improvement above almost every other priority, and we appreciate the ongoing attention
received from the security community.
PikaPay thanks everyone who contributed so far. We launched this program on March 18 (one of the first Bitcoin services to do this). We intend to keep this program running and to disclose the results to make the community safer.
Whether you have or haven't qualified for a bounty so far, your work is appreciated. We encourage you to keep looking and testing PikaPay.
PikaPay
[email protected] is the address of PikaPay's security team.
The bounty program rules are here: bit.ly/14J1YZz
Even if you're not interested in the bounty, please come check out
PikaPay.com.
We have a full and open API with documentation at
Github.com/PikaPay.
We welcome suggestions and critique. We still have a lot of improvement coming.
We're hard at work to make this service into something unique, and any suggestions, questions and critique are very important to us. Write to us:
[email protected]