Bounty on Increased

We have had a bounty for demonstrated security weaknesses on, for 19 months or so. The bounty program challenges hackers to break or reveal databases on the subject accounts. To date, nobody has claimed the big prize. We have paid modest bounties for various issues, but nobody has damaged or revealed private data.

Today, 17 April 2016, we bumped up the value of the bounty from $1,000 to $2,500. Hopefully, this will motivate more attacks and more concerted attacks. We also bumped the small bounty from $50 to $75.

When I talk to programmers about our 'SQL from the browser' operating model, and the frequent response is 'how can that be secure?'. I am counting on you (challenging you) hackers/researchers to show us the actual security failings, if there are any. For a year and a half, nobody has been able to. Bounty Program Page Bounty Program Page

While I was changing the bounty amount, I also added some verbiage to clarify what we are looking to incentivize, and what we do not need to hear about.

On the website, I posted my GPG public key, so you can send me encrypted mail, and I can send you signed response emails. If, for some reason, you need specific permission to attack our accounts, ask in an encrypted email, and I will grant.

Happy hunting!


comments powered by Disqus