We are offering a bounty for any security-relevant bugs. This includes exploits, vulnerabilities and information about ongoing attacks.
In order to qualify for a bounty, a bug must be
- Relevant - Only security issues qualify for this bounty. A qualifying bug has to be a danger to user funds, privacy or the operation of the Ripple network.
- Original – Nobody has reported the issue before.
- Unknown – Bugs that are already known and discussed in public do not qualify.
- Specific – We welcome general security advice or recommendations, but we cannot pay bounties for that.
- Fixable – There has to be something we can do to permanently fix the problem. Note that bugs in other people’s software may still qualify in some cases. For example, if you find a bug in a browser that compromises security in Ripple and we can get it fixed by talking to the browser vendor, you may qualify for a bounty.
- Unused – If you use the exploit to attack us first, you don’t qualify for a bounty. If you report a vulnerability used in an ongoing or past attack and we have specific, concrete evidence that suggests you are the attacker we reserve the right not to pay a bounty.
The amount we pay varies dramatically. Vulnerabilities that are harmless on their own, but could form part of a critical exploit will usually receive 10-50 USD worth of XRP. Full-blown exploits can receive much higher bounties.
Please don’t hold back partial vulnerabilities while trying to construct a full-blown exploit. We will pay a large bounty to anyone who reports a complete chain of vulnerabilities even if they have reported each component of the exploit separately and those vulnerabilities have been fixed in the meantime. However, to qualify for a the full bounty, you have to have been the first one to report each of the partial exploits.
To report a qualifying bug, please send a detailed report to: firstname.lastname@example.org