Ripple is committed to maintaining our customers’ security and privacy and the data they entrust to us. As part of this commitment, we have a bug bounty program to identify and address security vulnerabilities in our software and systems.
The bug bounty program covers all publicly accessible web applications and APIs owned by Ripple. The program splits into two sections: Ripple and RippleX. The process and rules for both programs are different. The following section establishes guidelines for submitting security bugs to the concerned bounty program:
Ripple Bug Bounty program
The detailed bug bounty policy is available on the HackerOne website.
RippleX Bug Bounty program
Long Key ID: 0xCD49A0AFC57929BE
Fingerprint: 24E6 3B02 37E0 FA9C 5E96 8974 CD49 A0AF C579 29BE
Reward and Recognition
The bug bounty program rewards security researchers who report vulnerabilities to us. There is no fixed reward structure for this program. Rewards vary dramatically based on vulnerability and quality. The bounty amounts and the final decisions are at the discretion of the RippleX team.
Software & Infrastructure
Only bugs in Ripple's software or infrastructure are eligible for the bug bounty.
Only security issues qualify for this bounty. A qualifying bug has to be a peril to user funds, privacy, or Ripple’s operation.
This issue has yet to be reported.
Bugs already known and discussed in public do not qualify. Previously reported bugs (including those with active tickets) are not eligible.
We welcome general security advice or recommendations but cannot pay bounties.
There has to be something we can do to fix the problem permanently. Note that bugs in other people's software may still qualify in some cases. For example, if you find a bug in a browser that compromises security in Ripple and we can get it fixed by talking to the browser vendor, you may qualify for a bounty.
If you use the exploit to attack us first, you do not qualify for a bounty. If you report a vulnerability used in an ongoing or past attack and we have specific, concrete evidence that suggests you are the attacker, we reserve the right not to pay a bounty.
We will treat with the strictest of confidence any reports of security vulnerabilities made to us by security researchers under the bug bounty program. However, we reserve the right to take legal action against anyone who abuses the program or engages in any illegal activity.
Our bug bounty programs are essential to our overall security strategy. We are grateful for the contributions of the security researchers community and are committed to addressing any security vulnerabilities reported to us.