BitPay values its close relationship with the security research community. To show its appreciation for external contributions, BitPay maintains a Bug Bounty Program designed to reward responsible disclosure of qualifying security vulnerabilities.
Responsible Disclosure Policy
You disclose responsibly if you:
- Give us a reasonable amount of time before disclosing the vulnerability publicly
- Make a good faith effort to not interrupt or degrade our service
- Do not defraud or harm BitPay or its users during your research
If you do your best to follow these guidelines in discovering and disclosing a vulnerability, we won’t take any legal action against you. We will do our best to respond to your submission as quickly as possible, keep you updated on the fix, and award a bounty where appropriate.
- Adhere to the Responsible Disclosure Policy above
- Do not attempt to gain access to another user’s account or information (use your own test accounts)
- Report only original and previously undisclosed bugs
- Do not disclose a bug publicly before it has been fixed
- Do not use scanners or automated tools to find bugs
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
- Do not attack the reliability or integrity of our services (e.g, no DDoS attacks, blackhat SEO techniques, spamming, or similar questionable acts)
- Employees of BitPay and its subsidiaries are ineligible
- Residents in U.S. sanctioned countries (Cuba, Iran, Sudan, Syria, and North Korea) are ineligible
- If in doubt, please email us at firstname.lastname@example.org
Services in Scope
All merchant services provided by BitPay are eligible for our Bug Bounty Program, including services offered through BitPay.com, BitPay APIs, and our point-of-sale app.
Any design or implementation issue that could result in substantial financial loss, data breach, or service degradation is within scope including, but not limited to:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF)
- Mixed-content scripts
- Authentication or authorization flaws
- Server-side code execution bugs
- Remote code execution
- Accounting errors
Depending on their impact, some disclosures may not qualify. Vulnerabilities in the following areas are examples of common exclusions:
- Software packages not produced by BitPay
- Domains hosted by third parties (e.g., Shopify.com, Microsoft.com)
- BitPay-branded services operated by third parties
- BitPay open source projects (e.g., Bitcore, Insight, Foxtrot, Copay, etc.)
- BitPay subdomains operated by third parties (e.g. help.bitpay.com, support.bitpay.com, blog.bitpay.com, etc.)
How to Disclose
Disclose a vulnerability by sending an email with your bug report to email@example.com.
A bug report should include a description of the bug, reproduction instructions, and security impact (low, medium, high, critical). BitPay may award greater bounties for well done reports. All bounties are payable only in bitcoin.