Cobalt bug bounty programCobalt bug bounty programCobalt bug bounty program

Square thumb localbitcoins e12203e949fefa710ceb1aa82021d5144983ad80b92daeca3cbf4705c0733f06

LocalBitcoins

Buy and sell bitcoins near you

#CC112

Description

LocalBitcoins.com is a marketplace for trading bitcoins locally to cash or online payments of your choice. This program has been created to invite skilled researchers to check the security of LocalBitcoins.

LocalBitcoins reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.

In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

  • XSS
  • CSRF
  • Authentication bypass or privilege escalation
  • Click jacking
  • Remote code execution
  • Obtaining sensitive user information

Bounty guidelines

We reward reports based on the following guidelines

  • High: demonstrated vulnerability which bypasses the wallet security and may result to the loss of Bitcoin
  • Medium: XSS or CSRF, not able to access the user wallet, but may cause harm to the user or requires suspicious user interaction
  • Low: Security weaknesses which alone are not sufficient to bypass the security
  • Declined: The submitter did not read out of scope cases or did not follow the best practices

For more severe issues higher bounties may be paid.

We kindly ask the submitter to apply common sense when writing the vulnerability submission. Your submission will be reviewed with 5-1 stars and your profile gets a public track record on CrowdCurity.

Out of scope

In general, the following would not meet the threshold for the severity and should not be reported:

  • Vulnerabilities on sites hosted by third parties (charts.localbitcoins.com, analytics, etc) unless they lead to a vulnerability on the main website
  • Denial of service
  • Spamming
  • Username and email enumeration
  • Cached pages
  • Weak passwords (two-factor authentication recommended)
  • Autocomplete
  • Password reset email capture
  • User editable text in plain text emails
  • Session length and expiration
  • CSRF token lifetime
  • Known software stack and HTTP headers
  • Cross-domain reference leaks for known good sites
  • Attacks against SSL protocol
  • Attacks requiring DNS takeover
  • Attacks mitigated by HSTS (HTTP Strict Transport Security)
  • Attacks causing easily undoable harm (e.g. XSS making the victim to log out)
  • Vulnerabilities in third party applications which make use of the LocalBitcoins API
  • Vulnerabilities regarding the forum should be reported to muut.com and bounties for them are paid according to muut.com whitehat program.
  • Text injection in 404

For all claimed XSS or CSRF vulnerabilities please demonstrate a third party website exploiting the issue.

The terms for running and engaging in a security program always apply.

Specs

  • Rewards

    High: $1,000
    Medium: $300
    Low: $50

  • Disclosure Rules

    Responsible disclosure

  • Access Level

    Open for all

  • Response Time / Rate

    2 - 7 days / 98%

  • Researcher Feedback

    Average of all evaluations

Latest announcements

No announcements yet

Earlier this month

Small thumb hackerashishpathak
hackerashishpathak submitted a report

February

Gravatar
zero_width_space submitted a report
LocalBitcoins closed a report from diekinder
Gravatar
diekinder submitted a report
LocalBitcoins closed a report from monish
Small thumb monish 4f213c8ad25ae2189d9280a3de9aadab63ccb7be2c64addde5978724bf1ff167
monish submitted a report

January

LocalBitcoins closed a report from gautamajay34
Small thumb gautamajay34
gautamajay34 submitted a report
LocalBitcoins closed a report from gautamajay34
LocalBitcoins closed a report from gautamajay34
Small thumb gautamajay34
gautamajay34 submitted a report
Small thumb gautamajay34
gautamajay34 submitted a report
Small thumb gautamajay34
gautamajay34 submitted a report
LocalBitcoins closed a report from Arbin
LocalBitcoins closed a report from amalunni
LocalBitcoins closed a report from hacky4594
LocalBitcoins rewarded hacky4594 with a bounty and 9.3 Rep

December (2016)

Small thumb arbin
Arbin submitted a report
Gravatar
amalunni submitted a report

November (2016)

LocalBitcoins closed a report from craXer_bikash1