Does BitPay have a bug bounty program?

BitPay values its close relationship with the security research community. To show its appreciation for external contributions, BitPay maintains a Bug Bounty Program designed to reward responsible disclosure of qualifying security vulnerabilities.

 

Responsible Disclosure Policy

You disclose responsibly if you:

  • Give us a reasonable amount of time before disclosing the vulnerability publicly
  • Make a good faith effort to not interrupt or degrade our service
  • Do not defraud or harm BitPay or its users during your research

If you do your best to follow these guidelines in discovering and disclosing a vulnerability, we won’t take any legal action against you. We will do our best to respond to your submission as quickly as possible, keep you updated on the fix, and award a bounty where appropriate.

 

Bounty Rules

  • Adhere to the Responsible Disclosure Policy above
  • Do not attempt to gain access to another user’s account or information (use your own test accounts)
  • Report only original and previously undisclosed bugs
  • Do not disclose a bug publicly before it has been fixed
  • Do not use scanners or automated tools to find bugs
  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
  • Do not attack the reliability or integrity of our services (e.g, no DDoS attacks, blackhat SEO techniques, spamming, or similar questionable acts)
  • Employees of BitPay and its subsidiaries are ineligible
  • Residents in U.S. sanctioned countries (Cuba, Iran, Sudan, Syria, and North Korea) are ineligible
  • If in doubt, please email us at disclosure@bitpay.com

 

Services in Scope

All merchant services provided by BitPay are eligible for our Bug Bounty Program, including services offered through BitPay.com, BitPay APIs, and our point-of-sale app.

 

Qualifying Bugs

Any design or implementation issue that could result in substantial financial loss, data breach, or service degradation is within scope including, but not limited to:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF)
  • Mixed-content scripts
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Remote code execution
  • Accounting errors
  • Clickjacking

 

Non-Qualifying Bugs

Depending on their impact, some disclosures may not qualify. Vulnerabilities in the following areas are examples of common exclusions:

  • Software packages not produced by BitPay
  • Domains hosted by third parties (e.g., Shopify.com, Microsoft.com)
  • BitPay-branded services operated by third parties
  • BitPay open source projects (e.g., Bitcore, Insight, Foxtrot, Copay, etc.)
  • BitPay subdomains operated by third parties (e.g. help.bitpay.com, support.bitpay.com, blog.bitpay.com, etc.)

 

How to Disclose

Disclose a vulnerability by sending an email with your bug report to disclosure@bitpay.com.

A bug report should include a description of the bug, reproduction instructions, and security impact (low, medium, high, critical). BitPay may award greater bounties for well done reports. All bounties are payable only in bitcoin.

Was this article helpful?

Need additional help? We're happy to assist.

  • © BitPay, Inc.