Ripple is committed to maintaining our customers’ security and privacy and the data they entrust to us. As part of this commitment, we have a bug bounty program to identify and address security vulnerabilities in our software and systems.
Scope
The bug bounty program covers all publicly accessible web applications and APIs owned by Ripple. The program splits into two sections: Ripple and RippleX. The process and rules for both programs are different. The following section establishes guidelines for submitting security bugs to the concerned bounty program:
Ripple Bug Bounty program
We have partnered with Bugcrowd to manage this program. It is a private program, and security researchers can participate based on invitation. However, if you plan to submit a bug, please email us at bugs@ripple.com and let us know about your Bugcrowd handle or Bugcrowd registered email. We will get you added to the program.The detailed bug bounty policy is available on the Bugcrowd website.
RippleX Bug Bounty program
Please use this program to report bugs in RippleX/Rippled. To report a qualifying bug, please send a detailed report to: bugs@ripple.com and use bugs@ripple.com Public Key.
Report Bug
Short Key ID: 0xC57929BE
Long Key ID: 0xCD49A0AFC57929BE
Fingerprint: 24E6 3B02 37E0 FA9C 5E96 8974 CD49 A0AF C579 29BE
Reward and Recognition
The bug bounty program rewards security researchers who report vulnerabilities to us. There is no fixed reward structure for this program. Rewards vary dramatically based on vulnerability and quality. The bounty amounts and the final decisions are at the discretion of the RippleX team.
Qualifying Vulnerabilities
Software & Infrastructure
Only bugs in Ripple’s software or infrastructure are eligible for the bug bounty.
Relevant
Only security issues qualify for this bounty. A qualifying bug has to be a peril to user funds, privacy, or Ripple’s operation.
Original
This issue has yet to be reported.
Unknown
Bugs already known and discussed in public do not qualify. Previously reported bugs (including those with active tickets) are not eligible.
Specific
We welcome general security advice or recommendations but cannot pay bounties.
Fixable
There has to be something we can do to fix the problem permanently. Note that bugs in other people’s software may still qualify in some cases. For example, if you find a bug in a browser that compromises security in Ripple and we can get it fixed by talking to the browser vendor, you may qualify for a bounty.
Unused
If you use the exploit to attack us first, you do not qualify for a bounty. If you report a vulnerability used in an ongoing or past attack and we have specific, concrete evidence that suggests you are the attacker, we reserve the right not to pay a bounty.
Legal
We will treat with the strictest of confidence any reports of security vulnerabilities made to us by security researchers under the bug bounty program. However, we reserve the right to take legal action against anyone who abuses the program or engages in any illegal activity.
Conclusion
Our bug bounty programs are essential to our overall security strategy. We are grateful for the contributions of the security researchers community and are committed to addressing any security vulnerabilities reported to us.