Bug Bounty & Responsible Disclosure
Updated March 5th, 2018
Implementing perfect security is hard. Vulnerabilities are found even in time proven security architectures. We strive towards excellence when it comes to the security and privacy of our products and believe that an open architecture is vital to keep our users safe. This is why all our code is open source. In the case you find a vulnerability, we would like to ask you to follow our bug bounty program for responsible disclosure. We promise that no legal action will come against you if you follow our guidelines.
- Any information which will significantly help us improve our security will be rewarded. This does include user and customer privacy. The main areas are:
- Official code implementations in production that we maintain and make available at the BitBox GitHub repository.
- All BitBox hardware.
We ask that you please refrain from committing:
- Active exploiting / Denial of Service against other user's wallets and nodes where our software connects.
- Social Engineering of Shift Devices staff, contractors and users.
- Any physical or electronic attempts against company property.
- Leaking user data.
The bounty will be released after the Incident Response is successfully completed.
II. Security Response Team
The company co-founders, Douglas Bakkum and Jonas Schnelli, are the first point of contact.
- email@example.com (PGP: 4EE7 9BF0 DEA4 E87F 6304 D5F8 75D4 B1A5 18B3 7477)
- firstname.lastname@example.org (PGP: 557E 6E5A 9049 967F E8A3 A090 44EB 19A6 C2AF 7F2B)
III. Incident Response
- Submit your report via PGP or another open source end-to-end encrypted communication channel.
- We will respond to you using only encrypted, secure channels as soon as possible and then make inquiries to satisfy any needed information.
- Confirm if the submission is indeed a vulnerability.
- If not a vulnerability, or not specific to us:
- We will respond with reasons why the submission is not a vulnerability.
- Move the discussion to a new or existing public issue on GitHub if necessary.
Work out a timeline
- Establish an initial timeline to be followed by us with you.
- We shall regularly report back to you on progress made and work still left to be done.
- If more time is required to fix the issue, we will contact you again.
Apply appropriate patch(es)
- We will designate a PRIVATE git "hotfix branch" to work in.
- Any messages associated with PUBLIC commits during the time of review should not make reference to the security nature of the PRIVATE branch or its commits.
IV. Post-Release Disclosure Process
- Allow us the predetermined amount of time to fulfill all points within section III.
- If the Incident Response process in section III is successfully completed, we shall contact you and ask whether you wish for credit and pay out the bounty based on the severity of the vulnerability/bug.
- If the Incident Response process in section III is not successfully completed and consensus on a timely disclosure is not met, you have every right to expose the vulnerability to the public and we will not hinder you doing such, including legal means.