Bug Bounty Program

If you have found a vulnerability on the blockchair.com website or in our API (api.blockchair.com), please report it to security@blockchair.com

Once we've received your report, we'll investigate it and respond to you as soon as possible. We ask you not to discuss any vulnerabilities you have found (including resolved ones) without our express consent.

a Bug
Participation in the Bug Bounty Program requires you to comply with the policy below.
General rules
  • You must be the first to report the issue to us. Only the first reporter is awarded.
  • Please provide us with the steps to reproduce the issue and enough information so that we can reproduce and verify it. If we are not able to reproduce the issue, it will not be eligible for a reward.
  • No testing of DoS, spam, and social engineering issues.
  • Tests must not violate any law, or compromise any data that is not yours.
  • If multiple vulnerabilities are caused by one underlying issue it will be awarded as one report.
  • Please don't use vulnerability testing tools that generate significant volumes of traffic, that may disqualify you from getting a reward.
Rewards
  • Up to $2,500 for critical issues (e.g. getting direct access to one of our databases)
  • Up to $1,000 for non-critical issues (e.g. XSS)
  • $100 for minor bugs or not following some best practices
Rewards are to be paid in Bitcoin, via PayPal, or via wire transfers. $ means USD.
Not eligible for reward
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
  • Email. Spam, mail spoofing, mail bomb, missing best practices (SPF/DKIM/DMARC records).
  • DoS.
  • Rate limiting (brute-force) issues on non-authentication endpoints.
  • Reports from automated tools, scanners, etc.
  • Missing best practices in Content Security Policy; HttpOnly or Secure flags on cookies; SSL/TLS configuration (these reports will still be appreciated).
  • CSRF on unauthenticated forms (these reports will still be appreciated).
  • Use of known-vulnerable library or component. Public Zero-day vulnerabilities that have had an official patch for less than 1 month might be awarded.
  • Clickjacking on pages that don't lead to any leakage.
  • Content spoofing and text injection without being able to modify HTML.
  • No IE6 vulnerabilities (outdated and unpatched browsers should not be used).
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Vulnerabilities that are already known and being fixed (such as discovered by our team).
Beginning September 10th we will start using a 3rd party provider to filter our traffic. Neither we nor them store access logs for longer than needed to filter out certain network attacks. To achieve 100% privacy we recommend using the Tor Browser. Our Privacy Policy.