The bread blog
Announcing breadwallet's bug bounty program
At breadwallet we take our customers security and privacy very seriously. Our wallet is an embodiment of our dedication to customer protection. It is breadwallet’s ethos that our customers remain in control of their funds, which has certain security implications. Private keys that control the spending of funds are stored directly and encrypted on the devices of their owners, and they are in control of securing those devices. Generally, this means that attacks on the breadwallet customer base as a whole would be very difficult, since there is no information stored on our servers which could give up control of any customer’s funds, and our servers maintain extremely limited information on our users.
Today breadwallet is announcing a bug bounty program with the hopes of developing a continuing relationship with the security research community. Starting in November 2016 we will maintain a reward program for security experts that find vulnerabilities in any of breadwallet’s products, services or properties.
Services and products in scope
Generally any product that is developed by breadwallet is in the scope of the bug bounty program. This includes, but is not limited to:
breadwallet’s open source code bases (found on github.com/breadwallet)
Our website CMS system (breadwallet.com)
Any of our API systems (api.breadwallet.com)
Some bugs may not qualify for this bug bounty program, as its scope should be limited to technical vulnerabilities. Please do not try to sneak into our offices or perform phishing attacks against our employees. Never attempt to access another customer’s funds or account. Only ever target your own account and do not attempt to engage in any activity that would damage breadwallet’s products or services, or that would be disruptive to other breadwallet customers.
How to report
If you have found a vulnerability, please email us at [email protected]. It is suggested that you encrypt your email using our PGP key. Our security team will review every email sent to that address. Please be succinct in your disclosure. You must provide a valid attack scenario that we can replicate to be considered for a reward.
To reward security researchers with the hard work they put into disclosing vulnerabilities to us, we will offer a minimum reward of $100 USD for a security bug that is found in any of the above products and services in scope. A $500 minimum reward is available for any bug affecting user funds. Additionally, if you report a bug that is not a security vulnerability, we may still provide a reward, at our discretion. Reporting of bugs we deem to be more significant may earn a higher reward.
Because we are a bitcoin company, our rewards are offered in either bitcoin or USD. You may choose either payment method, but we prefer BTC. If you would like to receive BTC, please include your receive address in the disclosure email.
There are a few important restrictions on our bug bounty program. We can only reward the first person to report any given bug. Please do not publicly disclose any bugs before reporting to us. Any bug that has been publically disclosed without first providing breadwallet with a reasonable amount of time to respond will be ineligible. Whether we disclose the bug publically and the amount of the reward are at our discretion. Your testing may not violate any laws, and we can not provide an award if the testing did, or if it would be illegal for us to do so.