No technology is perfect, and Keybase believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
To show our appreciation of responsible security researchers, Keybase offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.
The Keybase API is documented at keybase.io/docs/api/1.0 __.
Keybase code is located at github.com/keybase __.
Depending on their impact, not all reported issues may qualify for a monetary reward.
Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Keybase users (spam, denial of service), or sending reports from automated tools without verifying them.
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
If you want to help us out, we greatly appreciate it. Be advised that for the purposes of the engagement, you are working for us. When someone works for a company, that company usually compensates the person as a combination of: (1) how much they contribute to the company's products; and (2) how pleasant they are to work with. If you choose to act like a 5-year-old, it's within our rights to compensate you like one. In practice, what this means is: (a) no nagging; (b) no repeatedly asking us for updates; (c) no whining. Please be pleasant to work with, and we'll be pleasant in return.
Thank you for helping keep Keybase and our users safe!