We are offering a bounty for any security-relevant bugs in our software offerings (https://github.com/ripple). The definition of bugs includes exploits, vulnerabilities and information about ongoing attacks against Ripple’s software.
Qualifying Bugs
Software & Infrastructure
Only bugs in Ripple's software or infrastructure are eligible for the bug bounty.
Relevant
Only security issues qualify for this bounty. A qualifying bug has to be a danger to user funds, privacy or the operation of the Ripple network.
Original
Nobody has reported the issue before.
Unknown
Bugs that are already known and discussed in public do not qualify. Previously reported bugs (including those with active tickets) are not eligible.
Specific
We welcome general security advice or recommendations, but we cannot pay bounties for that.
Fixable
There has to be something we can do to permanently fix the problem. Note that bugs in other people's software may still qualify in some cases. For example, if you find a bug in a browser that compromises security in Ripple and we can get it fixed by talking to the browser vendor, you may qualify for a bounty.
Unused
If you use the exploit to attack us first, you do not qualify for a bounty. If you report a vulnerability used in an ongoing or past attack and we have specific, concrete evidence that suggests you are the attacker we reserve the right not to pay a bounty.
Additional Details
The amount we pay varies dramatically. Vulnerabilities that are harmless on their own, but could form part of a critical exploit will usually receive a bounty. Full-blown exploits can receive much higher bounties.
Please don't hold back partial vulnerabilities while trying to construct a full-blown exploit. We will pay a large bounty to anyone who reports a complete chain of vulnerabilities even if they have reported each component of the exploit separately and those vulnerabilities have been fixed in the meantime. However, to qualify for a the full bounty, you must to have been the first to report each of the partial exploits.
Report Bug
Long Key ID: 0xCD49A0AFC57929BE
Fingerprint: 24E6 3B02 37E0 FA9C 5E96 8974 CD49 A0AF C579 29BE