LocalRipple security contact and vulnerability reporting
LocalRipple recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilties.
Responsible disclosure includes
- Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
- Making a good faith effort to not leak or destroy any LocalRipple user data.
- Not defrauding LocalRipple users or LocalRipple itself in the process of discovery.
In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.
Thank you for helping keep the bitcoin community safe!
LocalRipple is willing to reward the security researchers for bug reports that help us to improve our security. However, the company reserves right to evaluate reported vulnerabilities, their relevance and risk level, and based on that, make the decision on possible reward.
We are especially interested and willing to reward for following type of vulnerabilities:
- Stored and reflected XSS
- RCE / command injections
- SQL injections
- XML injections / XXE
- Serious data leakage vulnerabilities
- CSRF or broken session management with exploitable PoC
- Authentication and authorization flaws
Findings that are non-rewardable
- Error messages, stack traces
- Lack of SPF records
- Disclosure of used software versions
- Misconfigured or lack of certain HTTP headers
- Vulnerabilities that are not exploitable in modern browsers
- Lack of Secure and HttpOnly flags in cookies, that are not considered sensitive
- Username or email enumeration
- DoS attacks or spamming