At Coinkite, we understand and expect the whole world to be looking at our work
from every possible angle. When that angle is security and how can I break this thing,
we would be happy to hear about your successes.
We encourage responsible disclosure of security vulnerabilities, and
we will pay you for your bugs.
In order to encourage responsible disclosure, we promise not to
bring legal action against researchers who point out a problem
provided they do their best to follow the above guidelines.
Coinkite reserves the right to decide if the bug is real and
serious enough to receive any bounty. As a framework for reference,
please consider the following list of things we want to know about:
In general, the following are not interesting to us:
Many of our products are open source. You can create pull requests, and offer
your changes directly to our developers. Start on the Github page
for each product, from each of their websites. Of course, this is only
appropriate in some cases. If unsure, please see next section.
You can disclose a vulnerability by email to:
If you are unclear about
any of our polices, please ask before making assumptions.
Typically, you should use PGP encrypted email. Please start with a cleartext message
with your public key, and we'll reply appropriately.
Once we receive your private disclosure, we will analyse the issue
and get back to you promptly. If we accept your bug, you will receive
a personalized mug, all the credit (if you wish) in public forums,
and a Bitcoin payout. We're also happy to replace any Coinkite hardware
you've destroyed in your research.
Thank-you for your help keeping the Bitcoin community safe!
At our discretion, we will pay a Bitcoin bounty for a good security bug meeting our specs.
We're happy to give credit you when we make related announcements.
Yes, we welcome disclosures from anyone. However, you must understand
some complexities in these cases. We don't want to get involved in
PR stunts that cause panic, FUD, confusion and may hurt customers.
As a result, we request clear communication and appropriate coordination during the disclosure process.
We don't pay bounties in these cases.
Once we understand how your vulnerability might affect our users,
we will determine the best time-frame, regarding fixes and coordinated
Yes. We are not here to make it easy for you!
We will also change our software to preemptively close possible
security holes, even though we know they are not vulnerabilities
at the present time. This means we may change our code in response
to a report, even though the issue cannot actually be used as an
In other words, we don't pay bounties for unproven, theoretical issues, but
we reserve the right to patch them anyway. Show us a working exploit if
you want to prove it's a true vulnerability.
It's the personalized mug we make you as part of your bounty reward!
Design subject to change.
Updated: Nov 18, 2019