🪲 Bug bounty
We offer monero (xmr) rewards for any issues with our site or infrastructure, from minor typos to root command execution. Bugs and vulnerabilities can be submitted anonymously using the form below, however providing an email is helpful if we need to follow up.
Bounties
| XMR | Name | Description |
|---|---|---|
| 0.01 | Typographical | Any small spelling or grammar mistake |
| 0.02 | Content error | More serious annoyances like duplicate paragraphs |
| 0.05 | Factual error | Objective things that are simply untrue |
| 0.03 | Error message | Any reproducible error message resulting from normal use of the service |
| 2.0 | Persistent XSS | Any cross-site scripting attack that is saved on our server |
| 3.0 | Partial database or maildir | Unauthorized access to data or emails |
| 6.0 | Complete database or maildir | Unauthorized dump of all data or emails (paid per instance) |
| 12.0 | Unprivileged code execution | Code execution as a non-root user on any of our servers |
| 15.0 | Privileged code execution | Code execution as a root user on any of our servers |
We do not pay extortionists to prevent leaks or unlock ransomware. That means the bounties above, modest though they may be, are the only reward available.
Finding a bug is not a guarantee of a payout. For example, ending an English sentence with a preposition is technically incorrect, but so common that we do it intentionally. Use of the word "data" as a singular noun is another example of a grammar error that we would not pay out due to its pettiness. That said, we have a strong incentive to compensate white-hats and will always pay for a non-trivial bug.
The list above is not comprehensive, so if you find a bug of a type not listed above, please send it anyway and we may negotiate a reward.
Permitted hacking activities
White-hats are welcome to perform any kind of recon and penetration except the attack types listed below. Yes, this is explicit written permission from the company for anyone anywhere to perform port scans, database injections, XSS attacks, or exploitation of software vulnerabilities. The only activities NOT allowed are:
- Physical attacks (break-ins)
- Social engineering (including spear-phishing)
- Intentional disruption to our services (DDOSing)
- Unintentional disruption to our services (performing any permitted attack with such vigor that it causes a disruption)
Execution of any of these listed attack types will never result in a bounty reward and may result in prosecution of perpetrators.
Disclosure timeline
We observe a 90-day disclosure timeline, starting from our acknowledgment of the bug. This means, you must not publish or disseminate details of the exploit until we have time to fix it (90 days). After that period, the hacker is free to publish details of the exploit on their security blog or anywhere. Hackers disclosing details of their exploit before the closure of the 90-day window will not be eligible for a bounty and may be prosecuted. Hackers are never permitted to publish any sensitive data or intellectual property from the company or its users.
Previously-awarded bounties
All bounties are posted with the hacker's permission, so we may have paid out bounties not listed here.
(No bug bounties have been awarded yet)
Securely reporting a bug
So you've found a bug or vulnerability! Please responsibly disclose it using the form below. Any data entered in this form will be PGP-encrypted on the client-side before being submitted.
Describe the bug:
Enter your monero primary address (for a payout):
This is a sha256 checksum of your bug description:
To receive a monero payout, open the Monero GUI and go to Advanced > Sign/verify. Paste the sha256 code above into the "Message" field and copy the "Signature" field. Then paste the signature below:
Your email (optional):
Your public pgp key (optional)
Check this box if you permit us to post some details about this bug (nothing about you) in the "Previously-awarded bounties" section above.