At Bit2Me we love hacker culture. We ourselves have that mentality and we feel very identified with this way of thinking. Proof thereof is the fact that some of us participate in hackathons and CTFs (Capture-The-Flag) sessions, and we are always open to collaborate in the organization of events aligned with that thought.
We want to make the best platform in the world for cryptocurrencies, so that with it we can take steps as a society towards a world where cryptocurrencies like Bitcoin have a great acceptance, making a world much more fair and democratic, without a monopoly of money, as currently it happens with the money of the central banks where just a few enslave the rest of humanity because of the way money works.
But we are aware of the frenetic pace that a startup like ours could have (updates, new products, ...) and as human beings, we are also aware that we are not perfect and we could forget something.
That’s why, hacker community, this document is an appeal to you. We put at your disposal the best bug bounty that we have been able to create, taking into account our current company size, which we will keep on updating as we grow.
Vulnerabilities already reported
A normal question that you can ask yourself, and with good reason, is: How can I be sure that Bit2Me will be sincere in rejecting the vulnerability justifying that the vulnerability has already been reported?
As one of the famous lemmas in the cryptocurrency world says: "Don’t trust, Verify!"
As you know we love to innovate, and we love cryptocurrency technology. With this in mind, and to set an example with the values and advantages that Blockchain technology brings, all reported and accepted vulnerabilities will be published on the Blockchain.
How will we do it? Cryptography to power!
Once a vulnerability has been reported and accepted, before even being solved by our team, we will do the following:
This transaction will remain transparent and immutable on the network forever, totally impossible to alter and reflected at the exact moment it was created.
What does this mean?
If that hash existed at that moment, it means that the document and all information in it, would also exist.
If someone later reports a similar vulnerability to us, we will provide you with the PDF report, and the transaction.
With the report you will be able to generate the fingerprint yourself and verify that this hash has already been registered in the past, thanks to the Ethereum transaction provided, where you can see the exact date of it.
For the hash / checksum of the report we will use the SHA-512 algorithm.
Scope of action
We have limited the area of action to search for vulnerabilities to the following domains / subdomains:
Vulnerabilities that will NOT be accepted
How to report a bug?
Send your report to email:
You have to use the following PGP public key to encrypt the email:
Include as many pieces of evidence as possible: title of the exploited vulnerability, description of each step in the exploitation, tools used in the exploitation, browser version, attach screenshots (or even video), etc.
Include the PoC (proof of concept), if you did it. It is mandatory to include an explanation on how to correct the reported vulnerability
Please wait up to 10 business days in order our team to study your request and receive an answer on whether we have accepted your request. If accepted, the reward will be paid within the stipulated period in the Response Policy (* see response policy).
Bit2Me will always do everything possible to follow the following policy of response to the requests sent by hackers who participate in our program:
Our maximum time for responses on accepting the vulnerability (from receipt of the report) is: 10 business days
The maximum time to make the payment of the reward (from response on acceptance): 10 business days.
Payments can be made in different ways:
The rewards given by Bit2Me range from € 50 for low vulnerabilities to € 5,000 for highly critical ones.
Normal rewards will be handled based on the CVSS v3.1 Vulnerability Score:
For vulnerabilities that, from the company's internal cybersecurity team, we consider VERY critical, Bit2Me has a special reward of € 5,000.
Note: If the report does not include a valid PoC (proof of concept), the reward rating will be decided according to the reproducibility and severity of the vulnerability, and the amount of the reward may be significantly reduced.
Examples of vulnerabilities we look for:
Hall of Fame
All those people, or entities, that report vulnerabilities and rewarded will be published, if they wish.
Be the first to appear here!
Did you find it helpful?Send feedback