Donation Address: 14Tf35AovvRVURzd623q5i9kry2EW8WzyL
According to Linus’ Law, “given enough eyeballs, all bugs are shallow”. That’s one of the reasons why Counterparty’s source code is publicly available; but merely making the source code available doesn’t accomplish anything if people don’t read it!
For this reason, Counterparty has a series of bug bounties. Similar to the bounties offered by Mozilla and Google, Counterparty bug bounties provide an opportunity for people who find bugs to be compensated. Unlike those programs, however, Counterparty’s bug bounties are not limited to security vulnerabilities.
Depending on the type of bug and when it is reported, different bounties will be awarded. Bounties are paid out in a mix of XCP and BTC (the ratio is negotiable), at the 3-day average of each to a fixed US Dollar value.
Things that do not qualify under the bug bounty
counterpartytalk.org website (unless the issue is a serious misconfiguration where user security details are being leaked in a way that they can be proven to be exploited)
Counterwallet or counterblock (unless the issue allows for theft of funds, in that case the $1,500 bounty defined below would apply)
Please do not try XSS attacks in the Counterwallet chat box. It is annoying, and it has already been tested extensively
Vulnerabilities which are too broad or not documented properly (i.e. do not include a specific example relevant to a Counterparty-controlled site)
Bugs or issues with a third-party site, software, or service that we use, such as support.counterparty.io (freshdesk.com), which is not due to an improper configuration issue specific to us. Please submit any potential issues to the maintainers of that site or providers of that service
Anything requiring social engineering
Missing HSTS (HttpOnly flags), Secure flag, Browser Cache vulnerabilities
CSRF that doesn’t affect the victim
Referrer leakage to pages an attacker cannot control
Lack of explicit rate-limiting for counterwallet.io passphrase entry
The presence of unnecessary files, e.g. for backups, when these files do not expose any sensitive information
Anything that is the result of an automated Nessus/PCI scans (too general)
DNS issues (e.g. lack of an SPF record)
SSL certificate issues (such as lack of Perfect Forward Secrecy on our SSL certificates)
Bugs that have received mainstream tech media attention before the date of your disclosure (e.g. Heartbleed, Poodlebleed, etc)