Responsible Disclosure


At Coinkite, we understand and expect the whole world to be looking at our work from every possible angle. When that angle is security and how can I break this thing, we would be happy to hear about your successes.

We encourage responsible disclosure of security vulnerabilities, and we will pay you for your bugs.

Requirements:

  • Reasonable amount of time to fix the issue before you publish it.
  • Good faith effort to not leak or destroy any Coinkite user data.
  • Do not defraud Coinkite users or Coinkite itself in the process of discovery.

In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Eligibility

Coinkite reserves the right to decide if the bug is real and serious enough to receive any bounty. As a framework for reference, please consider the following list of things we want to know about:

  • Leak of private key material.
  • Tricking our hardware into signing a transaction the owner has not authorized.
  • Misleading the user into approving a transaction that is against their best interests.
  • Bypassing the PIN entry sequence, or similar.
  • Remote code execution.

In general, the following are not too interesting to us:

  • Vulnerabilities on our web sites (blog.coinkite.com, Mailchimp, our analytics, etc) unless they lead to a vulnerability.
  • Denial of service attacks
  • Spamming
  • Email header forging
  • Vulnerabilities in third party applications (or sites) which make use of the Coinkite products
  • "Burp Suite Pro" has already been tested against our websites many times, thank-you.
  • Broad classes of possible vulnerabilities which might apply to us, but which you cannot prove actually do apply to our products.

Improving Through Open Source

Many of our products are open source. You can create pull requests, and offer your changes directly to our developers. Start on the Github page for each product, from each of their websites. Of course, this is only appropriate in some cases. If unsure, please see next section.

How do I disclose my issue?

You can disclose a vulnerability by email to: security@coinkite.com

If you are unclear about any of our polices, please ask before making assumptions.

Typically, you should use PGP encrypted email. Please start with a cleartext message with your public key, and we'll reply appropriately.

Please include:

  • Code which reproduces the issue as a proof of concept.
  • Detailed description and potential impact of your bug.
  • Your name and link for attribution (or a comment if you don't want that).

Once we receive your private disclosure, we will analyse the issue and get back to you promptly. If we accept your bug, you will receive a personalized mug, all the credit (if you wish) in public forums, and a Bitcoin payout. We're also happy to replace any Coinkite hardware you've destroyed in your research.

Thank-you for your help keeping the Bitcoin community safe!

Rewards

At our discretion, we will pay a Bitcoin bounty for a good security bug meeting our specs. We're happy to give credit you when we make related announcements.

I come from a competitor. Can I submit?

Yes, we welcome disclosures from anyone. However, you must understand some complexities in these cases. We don't want to get involved in PR stunts that cause panic, FUD, confusion and may hurt customers.

As a result, we request clear communication and appropriate coordination during the disclosure process. We don't pay bounties in these cases.

What timeline will be used?

Once we understand how your vulnerability might affect our users, we will determine the best time-frame, regarding fixes and coordinated disclosure.

Do you reserve the right to adapt?

Yes. We are not here to make it easy for you!

We will also change our software to preemptively close possible security holes, even though we know they are not vulnerabilities at the present time. This means we may change our code in response to a report, even though the issue cannot actually be used as an attack.

In other words, we don't pay bounties for unproven, theoretical issues, but we reserve the right to patch them anyway. Show us a working exploit if you want to prove it's a true vulnerability.

What is a Bugmug?

It's the personalized mug we make you as part of your bounty reward!

Design subject to change.


Updated: Nov 18, 2019