According to Linus' Law, "given enough eyeballs, all bugs are shallow". This is one of the reasons why the Tarsnap client source code is publicly available; but merely making the source code available doesn't accomplish anything if people don't bother to read it.
For this reason, Tarsnap has a series of bug bounties. Similar to the bounties offered by Mozilla and Google, the Tarsnap bug bounties provide an opportunity for people who find bugs to win cash. Unlike those bounties, the Tarsnap bug bounties aren't limited to security bugs. Depending on the type of bug and when it is reported, different bounties will be awarded:
Bounty value | Pre-release bounty value | Type of bug
$1000 | $2000 | A bug which allows someone intercepting Tarsnap traffic to decrypt Tarsnap users' data.
$500 | $1000 | A bug which allows the Tarsnap service to decrypt Tarsnap users' data.
$500 | $1000 | A bug which causes data corruption or loss.
$100 | $200 | A bug which causes Tarsnap to crash (without corrupting data or losing any data other than an archive currently being written).
$50 | $100 | Any other non-harmless bugs in Tarsnap.
$20 | $40 | Build breakage on a platform where a previous Tarsnap release worked.
$10 | $20 | "Harmless" bugs, e.g., cosmetic errors in Tarsnap output or mistakes in source code comments.
$5 | $10 | A patch which significantly improves the clarity of source code (e.g., by refactoring), source code comments (e.g., by rewording or adding text to clarify something), or documentation. (Merely pointing to something and saying "this is unclear" doesn't qualify; you must provide the improvement.)
$1 | $2 | Cosmetic errors in the Tarsnap source code or website, e.g., typos in website text or source code comments. Style errors in Tarsnap code qualify here, but usually not style errors in upstream code (e.g., libarchive).
The pre-release bounty value will be awarded for bugs reported in the interval between when a new Tarsnap release is sent to the tarsnap- firstname.lastname@example.org mailing list and when it is announced via the email@example.com mailing list (this will usually be one week) which were introduced in the new release (i.e., for bugs which are corrected before they get into an announced release).
In addition to the Tarsnap source code, bug bounties will be awarded for bugs found in scrypt, kivaloo, and spiped. Please note that, with the exception of $1 cosmetic errors, these bounties do not apply to the Tarsnap website; in particular, please do not run automated vulnerability scanners against the Tarsnap website — they're annoying and don't produce useful bug reports.
Think you've found a bug? If it's not a security flaw and you have a github account, please submit an issue report to the Tarsnap github repository. Otherwise, please contact the author by email (preferably using his GPG key). Please put the words "bug bounty" into the subject line of your email.
Past Tarsnap bug bounty recipients are listed here. When reporting a bug, please mention if you would like to remain anonymous.