BitPay values its close relationship with the security research community. To show its appreciation for external contributions, BitPay maintains a Bug Bounty Program designed to reward responsible disclosure of qualifying security vulnerabilities.

Responsible Disclosure Policy

You disclose responsibly if you:

• Give us a reasonable amount of time before disclosing the vulnerability publicly

• Make a good faith effort to not interrupt or degrade our service

• Do not defraud or harm BitPay or its users during your research

If you do your best to follow these guidelines in discovering and disclosing a vulnerability, we won’t take any legal action against you. We will do our best to respond to your submission as quickly as possible, keep you updated on the fix, and award a bounty where appropriate.

Bounty Rules

• Adhere to the Responsible Disclosure Policy above

• Do not attempt to gain access to another user’s account or information (use your own test accounts)

• Report only original and previously undisclosed bugs

• Do not disclose a bug publicly before it has been fixed

• Do not use scanners or automated tools to find bugs

• Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure

• Do not attack the reliability or integrity of our services (e.g, no DDoS attacks, blackhat SEO techniques, spamming, or similar questionable acts)

• Employees of BitPay and its subsidiaries are ineligible

• Residents in U.S. sanctioned countries (Cuba, Iran, Sudan, Syria, and North Korea) are ineligible

• If in doubt, please email us at disclosure@bitpay.com

Services in Scope

All merchant services provided by BitPay are eligible for our Bug Bounty Program, including services offered through BitPay.com, BitPay APIs, and our point-of-sale app.

Qualifying Bugs

Any design or implementation issue that could result in substantial financial loss, data breach, or service degradation is within scope including, but not limited to:

• Cross-site scripting (XSS)

• Cross-site request forgery (CSRF/XSRF)

• Mixed-content scripts

• Authentication or authorization flaws

• Server-side code execution bugs

• Remote code execution

• Accounting errors

• Clickjacking

Non-Qualifying Bugs

Depending on their impact, some disclosures may not qualify. Vulnerabilities in the following areas are examples of common exclusions:

• Software packages not produced by BitPay

• Domains hosted by third parties (e.g., Shopify.com, Microsoft.com)

• BitPay-branded services operated by third parties

• BitPay open source projects (e.g., Bitcore, Insight, Foxtrot, Copay, etc.)

• BitPay subdomains operated by third parties (e.g. help.bitpay.com, support.bitpay.com, blog.bitpay.com, etc.)

How to Disclose

Disclose a vulnerability by sending an email with your bug report to disclosure@bitpay.com.

A bug report should include a description of the bug, reproduction instructions, and security impact (low, medium, high, critical). BitPay may award greater bounties for well done reports. All bounties are payable only in bitcoin.