From December 20, 2016 and until December 31, 2017, Cryptocat is holding a Bug Bounty Program. The goal of this program is to invite independent analysis of Cryptocat's security, especially since its complete rewrite which was completed in April 2016.
Due to Cryptocat's limited funding as volunteer-run software, the bounty is held in a "contest" style: the first person to report a vulnerability will receive the prize, and the Bug Bounty Program will then be closed until further notice. Should we receive more than one bounty report simultaneously, we will award the prize to the report we judge to be more important.
However: Should you win the Bug Bounty Program prize but forfeit the $500 USD prize money, the Bug Bounty Program will remain open for a second potential winner, and you will still receive the other three elements of the prize.
Your reported vulnerability must be, within reasonable judgement, a high-to- critical severity vulnerability. For example, it must allow remote account compromise, user or device impersonation, message decryption, arbirtrary code execution, or something along these lines. A simple denial of service, to give a counter-example, or a bug that is reliant on pre-existing control of the victim's device, is not eligible. We promise to be fair regarding the severity of your reported bug.
Any submitted report must involve a bug that is exploitable in the latest version of Cryptocat at the time of submission.
Simply send a Cryptocat message to nadim on Cryptocat in order to submit your report. It's the personal account of the person responsible for writing the software.
Thank you for helping make Cryptocat safer for everyone. Good luck!