Bug Bounty

As part of our ongoing effort to keep your money safe and information secure, we run a bug bounty program. If you discover a security related issue in our software, we'd like to work with you to fix it and reward you for your assistance.

Rewards

We will award an amount in bitcoin on a case by case basis depending on the severity of the issue. Please note that we only award one bounty per bug.

Responsible disclosure

To be eligible for the bug bounty, you:

  • Must inform us before posting the exploit anywhere, and allow us sufficient time to patch the issue.

  • Can not exploit, steal money or information from CoinJar or its customers. If the exploit requires account access, you must use your own.

  • Must not defraud CoinJar or any of its customers.

If you are in doubt about anything, please email us with any questions at security@coinjar.com. Provided the above rules are followed, and you operate in good faith, we will not bring legal action against you.

Eligible bounties

Any software issue that results in the loss/compromise of data or money for CoinJar or any of its customers. The most common examples are:

  • Cross site scripting

  • Cross site request forgery

  • Remote code execution

  • Click jacking

  • Code injection

  • Leaks of sensitive data

Ineligible bounties

We can not reward bounties for things that are outside of our direct control, such as:

  • Social engineering

  • Physical access to hardware

  • Vulnerabilities in 3rd party software (Ruby, nginx, etc)

  • Denial of Service

  • Usability issues

How to report

If you have an issue to report, please send an email to security@coinjar.com. In your email, include as much detail about the exploit as possible and a Bitcoin address to send the reward to. Our Security Team will get back to you within three days.