Author

Topic: Overview of Bug Bounty Programs for Bitcoins (Read 8079 times)

legendary
Activity: 1420
Merit: 1010
Op, you should update this thread as many of the programs are not live, some of the exchanges have even stopped. One program you can add is Facebook which also has bitcoin as one of the payment options now. Hackerone also this as one of the payment options so it applies to all programs listed there like Twitter, Uber and Yahoo.

I think we would need to do the legwork and find out which new bounties are open and update the current list.

I might have a look and start a new thread as this is very interesting to me for who has funds to dedicate to finding and resolving such issues.

Fuzzybear
full member
Activity: 1442
Merit: 108
Op, you should update this thread as many of the programs are not live, some of the exchanges have even stopped. One program you can add is Facebook which also has bitcoin as one of the payment options now. Hackerone also this as one of the payment options so it applies to all programs listed there like Twitter, Uber and Yahoo.
newbie
Activity: 224
Merit: 0

I found a hole in this system, a small hole
sr. member
Activity: 467
Merit: 250
Thanks for sharing, it is excellent way to earn some extra BTC and learn more about site vulnerability
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
Added masterchain.info, blockchain.info and quadrigacx.com

Blockchain.info already rewarded security researchers unofficially, but now they have partnered up with CrowdCurity.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
Added coinnext.com > https://www.crowdcurity.com/coinnext/coinnext-f0019 Program running since 5 days. Reward: BTC0.05 - BTC1+

Also added counterparty.co ($20-$2000) and coinpunk.com ($100+), they have been running for few months though.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
A blog post with some mixed feelings (mostly complaints I guess) about the coindrawer.com program: http://blog.justinsteven.com/posts/2014/04/17/coindrawer-bug-bounty-program/ Decent read.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
thanks to NIKONL for maintaining this nice list
NP.

My name is NLNico though.

CrowdCurity is a marketplace for bug bounty programs.
Currently security researchers can submit a vulnerability and the program can basically say "no fuck off" and reject it, and there won't be any way to even reply to that.


However we don't want to be the judge on specific vulns but rather want to build in features that allows for the community to sort potentially issues via ratings and feedback mechanisms.
I hope these features can be built quick as I think it's really needed. Especially if you imply to be "a marketplace only". If it's "a marketplace only" there should be a way for the researcher to contact the business.




Besides that I do think the concept of your website is great so I will def keep updating my list with the programs on your website too.
newbie
Activity: 2
Merit: 0
Hi all,

Esben from CrowdCurity here. First of all I want to say thanks to NLNICO for maintaining this nice list. Secondly I would like to add a comment to the spendbitcoins.com case. I understand that it can be frustrating from a tester's perspective when a potential vulnerability is rejected by the site owner. However allow me to provide some general insight to how CrowdCurity works - which might help clarify the matter.

CrowdCurity is a marketplace for bug bounty programs. I.e. we enable businesses to to connect with security researchers.
 
Currently the platform allows for the business to give feedback to the tester, and just like any other bug bounty program you would find on the web, it is the business who decides what is eligible for a reward. In cases where a researcher can present proof of any misuse of the platform by the business, we will try our very best to mitigate and in worst case stop the bug bounty program. However we don't want to be the judge on specific vulns but rather want to build in features that allows for the community to sort potentially issues via ratings and feedback mechanisms.

We are currently building features that will allow researchers to provide feedback to the business and raise flags to warn other testers of a specific business conduct. This will be done in order to create a platform where both businesses and researchers can improve based on the feedback that they get. Basically we are looking for a bottom-up solution rather than us being the judge on potential conflicts.

Once again we want to thank the security community for using our platform and helping improve the overall security for bitcoin businesses.

- Esben
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
Found a legit XSS bug on spendbitcoins.com (that could be used to steal someone's session etc), reported it, was fixed 1 day later, no reply, 1 month later I asked crowdcurity why it took so long, another 1 week later I got a reply from spendbitcoins.com saying "they cannot replicate it". So they fix the bug in 1 day, then reply 1 month later that they cannot replicate it. Seems like a cheap way to run a bounty program.

So be careful with the program of spendbitcoins. I asked CrowdCurity and they said "business have the final call in these matters" so isn't much of a help either. So my recommendation would be to be careful with all the programs that CrowdCurity runs.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
Added btcvid.net > https://www.crowdcurity.com/users/btcvid/programs/btcvid get up to 1 Bitcoin, running since 8 days.

Added bit2c.co.il > https://www.crowdcurity.com/users/bit2c/programs/bit2c $100 - $1000+, program since 17 days.


crowdcurity.com changed privacy settings of earlier programs which means I can share them here in public too, so added some other programs too.

Total of 29 bug bounty programs for bitcoins now Smiley
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
Added prelude.io > https://www.crowdcurity.com/users/moolah/programs/prelude-by-moolah Rewards: $50 - $600+ , running since 3 days only.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
Only running their program since 1 day: poloniex.com, up to BTC2 see for more details: https://www.crowdcurity.com/users/poloniex/programs/poloniex-1de59
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
Great to see that localbitcoins.com also added a bug bounty program: https://localbitcoins.com/whitehat AFAIK, This program has been there only for a few days.. so if there are any security vulnerabilities, you can still be the first to report Smiley

$1.000+ in bitcoin for reporting a previously unknown security vulnerability of sufficient severity.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
I have added bitcoin.de to the list, see: https://www.bitcoin.de/en/bug-bounty This program has been running since (late?) January but I didn't notice it yet. They say "We will reward your effort at Bitcoin.de. The rate depends on the size and relevance of the safety leaks. ".

Also added bittrex.com, running since 2 weeks only, see: https://bittrex.com/Home/Bounty reward between BTC0.01 and BTC10

2 more added: btxtrader.com and whmcs.com. whmcs.com is not a bitcoin related website but they say "Rewards can be paid out via PayPal, BitCoin, or Western Union" between $250 up to $5000.

If anyone knows any other big bounty program within the BTC community, let us know Smiley
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
Thanks Smiley

Even today I read that Flexcoin got hacked, 896 BTC stolen, site closing down. Also today: BTC Stolen from Poloniex. If there are site owners reading this, please consider adding a security bug bounty before it's too late and a hacker abuses any bugs !! Better pay a whitehat security specialist 1 BTC than losing it all.

There are not that many replies in my topic.. so I guess there are not that many "security specialists" here Tongue so that would be a reason to not pin it. However I do think this is very important and a really effective way of making bitcoin sites more secure. Especially in a time where bitcoin sites still get hacked every day. So from that perspective any more exposure to this topic is good Smiley
legendary
Activity: 2114
Merit: 1040
A Great Time to Start Something!
It's a really helpful effort, probably deserves to be stuck/pinned.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
February 26, 2014, 11:38:20 AM
#4
So... no "other hackers" here ? Roll Eyes
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
February 24, 2014, 08:56:57 AM
#3
You are welcome.

I only know these programs since a few days but already found 4 vulnerabilities in 3 different sites (non very crucial, mostly XSS) but definitely having fun, still learning new things and getting some bounties Smiley
full member
Activity: 196
Merit: 100
February 23, 2014, 10:55:42 AM
#2
This is going to keep me busy for a while, at work :p
Thanks for sharing.
legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
February 23, 2014, 09:22:29 AM
#1
In this topic I would like to make an overview of (all) vulnerability reward programs within the bitcoin community (and/or programs with bitcoin rewards.) If you are aware of a security bounty which is not yet listed, please share it with us Smiley

Not allowed on probably all websites:
  • DDoS / DoS
  • Using automated software (including brute forcing)
  • Sharing the vulnerabilities without disclose first (some do allow after fix)
  • Exploit the vulnerability in a malicious way / steal private info / etc

Make sure to read the specific terms for each program first !!


Bitcoin related websites
WebsiteBitcointalk topicPlatformReward in bitcoinsSince
bitcointalk#309785nginx/PHP/MySQL/SMFBTC0.2 - BTC20 (based on XAU)10-2013
kraken.com#166828,#290799..BTC1+04-2013
pikapay.com#154465,#290111,
#476909
..BTC0.001-BTC10003-2013
coinbase.com..$1000+2013
coindrawer.com....2013
coinkite.com..BTC0.25+2013
coinx.com....2013
rugatu.comDjango/OSQABTC0.001-BTC201-2013
netagio.com.NETBTC1+
bitcoin.de....01-2014
bittrex.com#463202..BTC0.01-BTC1002-2014
btxtrader.com.....2013
localbitcoins.comDjango$1.000+03-2014
okcoin.comBTC1-BTC10004-2014
counterparty.co$20-$2000 (in BTC/XCP)03-2014
coinpunk.comNode.js$100+01-2014
masterxchange.com..BTC0.2-BTC2+01-2014
rtbtc.com(ZeroBlock)....2014
Non-BTC related sites with BTC reward
WebsitePlatformReward in bitcoinsSince
launchkey.com..$200+2013
polarssl.org€50+
whmcs.com$250-$5000


* all websites are linked to the program info because you should read the terms first
** the "since" date is NOT the date since the site exists, but an estimation since when the bounty reward was officially announced in public
*** I am not vouching for any of these programs, your "time investment" is your own risk


Please share other websites that are running security bounties for bitcoin rewards. You may also share your experience with any of these programs. Have fun with hacking and be responsible Smiley

Are you a website owner?
If you own a website, consider running a vulnerability reward program too! This way your website will be more secure and there is a much bigger chance that a whitehat (non-harmful) hacker helps you with the security instead of a blackhat hacker who abuses vulnerabilities. Look at these example websites for information how to run a program like that. Making a page on your site + topic here should be enough.
Jump to: