Author

Topic: Is there any bounty for reporting security bugs on this forum ? (Read 175 times)

full member
Activity: 1442
Merit: 108
May be it depends on their (admins) mood.

That does not sound very professional.

I would like to share my experience here. I got response for the bugs I submitted in less than 24 hours. They were fixed and I was paid in the same duration as well. One of the fastest bounty program I had seen. Will be locking this thread now.
copper member
Activity: 630
Merit: 420
We are Bitcoin!
1) Will I get reply for all submissions even if rejected ?
May be it depends on their (admins) mood.

Any way the rules are here....
Rules
- You must disclose the vulnerability only to me. Do not test your vulnerability in such a way that it would give others any information about the vulnerability.
- I must not already know about the vulnerability.
- Your info must actually convince me to make changes. If you give me info that is insufficient to convince me to change things, and then a few months later I get more info from someone else which does convince me to fix the thing that you reported, then you'll likely not be awarded a bounty.
- You must not use your exploit in any malicious way, or use it to read any database info that isn't public except for accounts that you control.
- It must be fairly easy for me to check the validity of your vulnerability. You must have proof of concept code, a live example of the exploit on the forum, or a very detailed description of the vulnerability. You can't just say something like, "Avatars can be used to execute PHP." That's not enough information, and it's very likely that the vulnerability you're talking about won't even affect the forum. Attacks using brute-force, timing, etc. that you can't demonstrate may not be eligible for bounties.
- DoS attacks aren't security vulnerabilities.
- Compromising an admin account is a valid technique, but you can't assume that you will be able to do this.
- Assume that CSRF attacks against the admin console don't work.
- If an exploit is only possible due to a combination of two or more flaws, then the bounty is calculated for each flaw assuming that it alone would succeed in the attack, and you get only the smallest of these bounties.

You should be reading this when vit05 gave you the link at the first place.
full member
Activity: 1442
Merit: 108
Thanks for the response guys. I have started testing and security here looks good. Have found some bugs as well which I will submit here. The official page should be more clear on what type of bugs are accepted in this program. Some more questions :

1) Will I get reply for all submissions even if rejected ?

2) What about the policy on test accounts  ? Like If I want to test features related to merit system , how to proceed with that without affecting this account?
copper member
Activity: 1526
Merit: 2890
Anyway please lock this now.
He still did not get the answer "where to report it".

I guess you can directly send PM to administrator Theymos or Cyrus, you should get immediate reply based on the severity of the issue.
sr. member
Activity: 742
Merit: 395
I am alive but in hibernation.
Is there any bounty for reporting security bugs on this forum ?  If yes, where to report it. Details of official rules and bugs covered will also be helpful.

It is already pinned post in Meta, How eager we are in asking the question without searching. Anyway please lock this now.
hero member
Activity: 672
Merit: 526
Yes and you could win a badge. Just check the pinned topic on this section.

https://bitcointalksearch.org/topic/security-bounties-309785

The forum is offering bounties for security vulnerabilities.

The bounty amount is the highest applicable base bounty multiplied by all applicable modifiers. Amounts are in troy ounces of gold (converted to BTC at the time of payment).

Base bounties
Root access  Arbitrary DB writing  Obtaining arbitrary PMs or password hashes  Persistent script injection  CSRF or non-persistent XSS 
Admin attacker8210.10.1
User with manually-granted extra permissions (mod, etc.)10760.250.1
Regular user10870.50.1



full member
Activity: 1442
Merit: 108
Is there any bounty for reporting security bugs on this forum ?  If yes, where to report it. Details of official rules and bugs covered will also be helpful.
Jump to: