Whitehat bonus



Due to many duplicate vulnerability reports we have been receiving lately, the whitehat bonus program has been paused for a short period.

Whitehat bonus

We value any feedback on our services and are grateful for people who take the effort to contact us with their feedback. Although Bitmymoney strives for complete security, changes in our software and hardware can lead to vulnerabilities in our architecture.

Responsible Disclosure

We would like to encourage security researchers to first share with us any vulnerabilities they can find in our architecture. And give us time to fix the issue, before sharing with others.

  • Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Making a good faith effort to not leak or destroy any Bitmymoney user data.
  • Not defrauding Bitmymoney users or Bitmymoney itself in the process of discovery.
  • In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Rewards

The minimum payout for a previously unknown security vulnerability is €25.

We payout in bitcoin for reporting a previously unknown security vulnerability of sufficient severity. We award higher amounts based on severity or creativity of the vulnerability found. Bitmymoney reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.

We also provide attribution on this page as a thank you.

Rewards are only paid in Bitcoin.

Eligibility

Bitmymoney reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.

In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

XSS
CSRF
Authentication bypass or privilege escalation
Click jacking
Remote code execution
Obtaining user information

In general, the following would not meet the threshold for severity:

  • Vulnerabilities on sites hosted by third parties, unless they lead to a vulnerability on the main website
  • Denial of service
  • Spamming
  • Vulnerabilities in third party applications which make use of the Bitmymoney API

How To Disclose

You can disclose a vulnerability to support@bitmymoney.com

Please include if possible:

Description and potential impact
Steps to reproduce the issue or a proof of concept
Name and link for attribution on this page
Bitcoin address for payout
Thank you for helping keep the bitcoin community safe!

Attribution

We thank these White Hat Geniuses:

2019-04-01 Pal Patel

2019-03-28 Tarikul Islam

2019-03-19 Agung Saputra

2019-03-04 Pratik Vinod Yadav 

2019-01-19 Younes Belarbi

2016-10-04 MrDice

2015-12-07 Mohammed Abdulqader Abobaker Al-saggaf

2014-05-22 Imen Soussi

2014-05-22 James Amos