According to Linus' Law, "given enough eyeballs, all bugs are shallow". This is one of the reasons why the Tarsnap client source code is publicly available; but merely making the source code available doesn't accomplish anything if people don't bother to read it.
For this reason, Tarsnap has a series of bug bounties. Similar to the bounties offered by Mozilla and Google, the Tarsnap bug bounties provide an opportunity for people who find bugs to win cash. Unlike those bounties, the Tarsnap bug bounties aren't limited to security bugs. Depending on the type of bug and when it is reported, different bounties will be awarded:
The pre-release bounty value will be awarded for bugs reported in the interval between when a new Tarsnap release is sent to the tarsnap-alphatest@tarsnap.com mailing list and when it is announced via the tarsnap-announce@tarsnap.com mailing list (this will usually be one week) which were introduced in the new release (i.e., for bugs which are corrected before they get into an announced release).
In addition to the Tarsnap source code, bug bounties will be awarded for bugs found in scrypt, kivaloo, and spiped. Please note that, with the exception of $1 cosmetic errors, these bounties do not apply to the Tarsnap website; in particular, please do not run automated vulnerability scanners against the Tarsnap website — they're annoying and don't produce useful bug reports.
Think you've found a bug? If it's not a security flaw and you have a github account, please submit an issue report to the Tarsnap github repository. Otherwise, please contact the author by email (preferably using his GPG key). Please put the words "bug bounty" into the subject line of your email.
Past Tarsnap bug bounty recipients are listed here. When reporting a bug, please mention if you would like to remain anonymous.
This program crawled on the 2015-06-30 is sorted as bounty.
FireBounty © 2015-2024