BitPay values its relationship with the security research community and rewards responsible disclosure of valid security vulnerabilities through its Bug Bounty Program.
You are considered to be acting in good faith if you:
- Provide BitPay a reasonable amount of time to remediate the issue before public disclosure
- Avoid actions that disrupt, degrade, or negatively impact our services
- Do not access, modify, or exfiltrate data belonging to other users
- Use only accounts you own or are authorized to test
If you follow these guidelines, BitPay will not pursue legal action and will work with you on responsible disclosure, including potential bounty rewards.
Rules of Engagement
- Adhere to the Responsible Disclosure Policy above
- Do not attempt to gain access to another user’s account or information (use your own test accounts)
- Report only original and previously undisclosed bugs
- Do not disclose a bug publicly before it has been fixed
- Do not use automated scanners or tools that generate excessive noise
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
- Do not attack the reliability or integrity of our services (e.g, no DDoS attacks, blackhat SEO techniques, spamming, or similar questionable acts)
- Employees of BitPay and its subsidiaries are ineligible
- Residents in countries BitPay does not support are ineligible
- If in doubt, please email us at disclosure@bitpay.com
Services in Scope
In Scope |
Limited Scope* |
Out of Scope |
|
|
|
*Limited Scope: only critical security bugs accepted, as these are open source projects
Qualifying Bugs
Any design or implementation issue that could result in substantial financial loss, unauthorized access, access to another user’s data, or service degradation is within scope including, but not limited to:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF)
- Mixed-content scripts
- Authentication or authorization flaws
- Server-side code execution bugs
- Remote code execution
- Significant business logic or accounting issues
- Clickjacking
Non-Qualifying Bugs
Depending on their impact, some disclosures may not qualify. Vulnerabilities in the following areas are examples of common exclusions:
- Low-impact or informational findings
- Missing security headers without exploitability
- Rate limiting issues without demonstrated abuse
- Vulnerabilities requiring unrealistic user interaction
- Issues in third-party or unsupported systems
How to Disclose
Disclose a vulnerability by sending an email with your bug report to disclosure@bitpay.com.
All bug reports must be complete at the time of submission. Incomplete reports will not be reviewed and may be discarded without follow-up.
A valid report must include:
- Clear description of the vulnerability
- Affected endpoint(s), URL(s), or asset(s). Verify these are in scope before submission
- Step-by-step reproduction instructions
- Proof of concept (PoC) demonstrating the issue
- Supporting evidence (request/response, screenshots, or video)
- Impact assessment (e.g., data exposure, account takeover, financial risk)
- Environment details (browser, device, authentication level, etc.)
Reports missing any of the above will be considered invalid submissions.
Submissions that meet all requirements will be reviewed. High-quality, well-documented reports are more likely to qualify for a bounty.
Payouts
All bounties are payable only in cryptocurrency. Prior to payment, KYC validation is required which involves providing BitPay your legal name, address, national identifier number, and potentially other information.
Comments
0 comments
Article is closed for comments.