Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
Does BitPay have a bug bounty program? – BitPay Support logo
Hall of Fame

Does BitPay have a bug bounty program? – BitPay Support

BitPay values its close relationship with the security research community. To show its appreciation for external contributions, BitPay maintains a Bug Bounty Program designed to reward responsible disclosure of qualifying security vulnerabilities.

Responsible Disclosure Policy

You disclose responsibly if you:

  • Give us a reasonable amount of time before disclosing the vulnerability publicly
  • Make a good faith effort to not interrupt or degrade our service
  • Do not defraud or harm BitPay or its users during your research

If you do your best to follow these guidelines in discovering and disclosing a vulnerability, we won’t take any legal action against you. We will do our best to respond to your submission as quickly as possible, keep you updated on the fix, and award a bounty where appropriate.

Bounty Rules

  • Adhere to the Responsible Disclosure Policy above
  • Do not attempt to gain access to another user’s account or information (use your own test accounts)
  • Report only original and previously undisclosed bugs
  • Do not disclose a bug publicly before it has been fixed
  • Do not use scanners or automated tools to find bugs
  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
  • Do not attack the reliability or integrity of our services (e.g, no DDoS attacks, blackhat SEO techniques, spamming, or similar questionable acts)
  • Employees of BitPay and its subsidiaries are ineligible
  • Residents in U.S. sanctioned countries (Cuba, Iran, Sudan, Syria, and North Korea) are ineligible
  • If in doubt, please email us at

Services in Scope

All merchant services provided by BitPay are eligible for our Bug Bounty Program, including services offered through, BitPay APIs, and our point-of-sale app.

Qualifying Bugs

Any design or implementation issue that could result in substantial financial loss, data breach, or service degradation is within scope including, but not limited to:

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF)
  • Mixed-content scripts
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Remote code execution
  • Accounting errors
  • Clickjacking

Non-Qualifying Bugs

Depending on their impact, some disclosures may not qualify. Vulnerabilities in the following areas are examples of common exclusions:

  • Software packages not produced by BitPay
  • Domains hosted by third parties (e.g.,,
  • BitPay-branded services operated by third parties
  • BitPay open source projects (e.g., Bitcore, Insight, Foxtrot, Copay, etc.)
  • BitPay subdomains operated by third parties (e.g.,,, etc.)

How to Disclose

Disclose a vulnerability by sending an email with your bug report to

A bug report should include a description of the bug, reproduction instructions, and security impact (low, medium, high, critical). BitPay may award greater bounties for well done reports. All bounties are payable only in bitcoin.

FireBounty © 2015-2019

Legal notices