Topic: Overview of Bug Bounty Programs for Bitcoins (Read 8039 times)

I think we would need to do the legwork and find out which new bounties are open and update the current list.

I might have a look and start a new thread as this is very interesting to me for who has funds to dedicate to finding and resolving such issues.

Fuzzybear

Op, you should update this thread as many of the programs are not live, some of the exchanges have even stopped. One program you can add is Facebook which also has bitcoin as one of the payment options now. Hackerone also this as one of the payment options so it applies to all programs listed there like Twitter, Uber and Yahoo.

I found a hole in this system, a small hole

Thanks for sharing, it is excellent way to earn some extra BTC and learn more about site vulnerability

Added masterchain.info, blockchain.info and quadrigacx.com

Blockchain.info already rewarded security researchers unofficially, but now they have partnered up with CrowdCurity.

Added coinnext.com > https://www.crowdcurity.com/coinnext/coinnext-f0019 Program running since 5 days. Reward: BTC0.05 - BTC1+

Also added counterparty.co ($20-$2000) and coinpunk.com ($100+), they have been running for few months though.

A blog post with some mixed feelings (mostly complaints I guess) about the coindrawer.com program: http://blog.justinsteven.com/posts/2014/04/17/coindrawer-bug-bounty-program/ Decent read.

Added okcoin.com > http://www.reddit.com/r/Bitcoin/comments/232fze/okcoin_white_hat_promotion_win_anywhere_from/ - https://www.okcoin.com/t-1008270.html

Reward: BTC1-BTC100

NP.

My name is NLNico though.

Currently security researchers can submit a vulnerability and the program can basically say "no fuck off" and reject it, and there won't be any way to even reply to that.


I hope these features can be built quick as I think it's really needed. Especially if you imply to be "a marketplace only". If it's "a marketplace only" there should be a way for the researcher to contact the business.




Besides that I do think the concept of your website is great so I will def keep updating my list with the programs on your website too.

Hi all,

Esben from CrowdCurity here. First of all I want to say thanks to NLNICO for maintaining this nice list. Secondly I would like to add a comment to the spendbitcoins.com case. I understand that it can be frustrating from a tester's perspective when a potential vulnerability is rejected by the site owner. However allow me to provide some general insight to how CrowdCurity works - which might help clarify the matter.

CrowdCurity is a marketplace for bug bounty programs. I.e. we enable businesses to to connect with security researchers.
 
Currently the platform allows for the business to give feedback to the tester, and just like any other bug bounty program you would find on the web, it is the business who decides what is eligible for a reward. In cases where a researcher can present proof of any misuse of the platform by the business, we will try our very best to mitigate and in worst case stop the bug bounty program. However we don't want to be the judge on specific vulns but rather want to build in features that allows for the community to sort potentially issues via ratings and feedback mechanisms.

We are currently building features that will allow researchers to provide feedback to the business and raise flags to warn other testers of a specific business conduct. This will be done in order to create a platform where both businesses and researchers can improve based on the feedback that they get. Basically we are looking for a bottom-up solution rather than us being the judge on potential conflicts.

Once again we want to thank the security community for using our platform and helping improve the overall security for bitcoin businesses.

- Esben

Found a legit XSS bug on spendbitcoins.com (that could be used to steal someone's session etc), reported it, was fixed 1 day later, no reply, 1 month later I asked crowdcurity why it took so long, another 1 week later I got a reply from spendbitcoins.com saying "they cannot replicate it". So they fix the bug in 1 day, then reply 1 month later that they cannot replicate it. Seems like a cheap way to run a bounty program.

So be careful with the program of spendbitcoins. I asked CrowdCurity and they said "business have the final call in these matters" so isn't much of a help either. So my recommendation would be to be careful with all the programs that CrowdCurity runs.

Added btcvid.net > https://www.crowdcurity.com/users/btcvid/programs/btcvid get up to 1 Bitcoin, running since 8 days.

Added bit2c.co.il > https://www.crowdcurity.com/users/bit2c/programs/bit2c $100 - $1000+, program since 17 days.


crowdcurity.com changed privacy settings of earlier programs which means I can share them here in public too, so added some other programs too.

Total of 29 bug bounty programs for bitcoins now

Added prelude.io > https://www.crowdcurity.com/users/moolah/programs/prelude-by-moolah Rewards: $50 - $600+ , running since 3 days only.

Only running their program since 1 day: poloniex.com, up to BTC2 see for more details: https://www.crowdcurity.com/users/poloniex/programs/poloniex-1de59

Great to see that localbitcoins.com also added a bug bounty program: https://localbitcoins.com/whitehat AFAIK, This program has been there only for a few days.. so if there are any security vulnerabilities, you can still be the first to report

$1.000+ in bitcoin for reporting a previously unknown security vulnerability of sufficient severity.

I have added bitcoin.de to the list, see: https://www.bitcoin.de/en/bug-bounty This program has been running since (late?) January but I didn't notice it yet. They say "We will reward your effort at Bitcoin.de. The rate depends on the size and relevance of the safety leaks. ".

Also added bittrex.com, running since 2 weeks only, see: https://bittrex.com/Home/Bounty reward between BTC0.01 and BTC10

2 more added: btxtrader.com and whmcs.com. whmcs.com is not a bitcoin related website but they say "Rewards can be paid out via PayPal, BitCoin, or Western Union" between $250 up to $5000.

If anyone knows any other big bounty program within the BTC community, let us know

Thanks

Even today I read that Flexcoin got hacked, 896 BTC stolen, site closing down. Also today: BTC Stolen from Poloniex. If there are site owners reading this, please consider adding a security bug bounty before it's too late and a hacker abuses any bugs !! Better pay a whitehat security specialist 1 BTC than losing it all.

There are not that many replies in my topic.. so I guess there are not that many "security specialists" here so that would be a reason to not pin it. However I do think this is very important and a really effective way of making bitcoin sites more secure. Especially in a time where bitcoin sites still get hacked every day. So from that perspective any more exposure to this topic is good

It's a really helpful effort, probably deserves to be stuck/pinned.

So... no "other hackers" here ?

You are welcome.

I only know these programs since a few days but already found 4 vulnerabilities in 3 different sites (non very crucial, mostly XSS) but definitely having fun, still learning new things and getting some bounties