Ripple is committed to maintaining our customers’ security and privacy and the data they entrust to us. As part of this commitment, we have a bug bounty program to identify and address security vulnerabilities in our software and systems.

Scope

The bug bounty program covers all publicly accessible web applications and APIs owned by Ripple. The program splits into two sections: Ripple and RippleX. The process and rules for both programs are different. The following section establishes guidelines for submitting security bugs to the concerned bounty program:

Ripple Bug Bounty program

We have partnered with Bugcrowd to manage this program. It is a private program, and security researchers can participate based on invitation. However, if you plan to submit a bug, please email us at [email protected] and let us know about your Bugcrowd handle or Bugcrowd registered email. We will get you added to the program.

The detailed bug bounty policy is available on the Bugcrowd website.

RippleX Bug Bounty program

Please use this program to report bugs in RippleX/Rippled. To report a qualifying bug, please send a detailed report to: [email protected] and use [email protected] Public Key.

Report Bug

Short Key ID: 0xC57929BE
Long Key ID: 0xCD49A0AFC57929BE
Fingerprint: 24E6 3B02 37E0 FA9C 5E96 8974 CD49 A0AF C579 29BE

Reward and Recognition

The bug bounty program rewards security researchers who report vulnerabilities to us. There is no fixed reward structure for this program. Rewards vary dramatically based on vulnerability and quality. The bounty amounts and the final decisions are at the discretion of the RippleX team.

Qualifying Vulnerabilities

Software & Infrastructure

Only bugs in Ripple’s software or infrastructure are eligible for the bug bounty.

Relevant

Only security issues qualify for this bounty. A qualifying bug has to be a peril to user funds, privacy, or Ripple’s operation.

Original

This issue has yet to be reported.

Unknown

Bugs already known and discussed in public do not qualify. Previously reported bugs (including those with active tickets) are not eligible.

Specific

We welcome general security advice or recommendations but cannot pay bounties.

Fixable

There has to be something we can do to fix the problem permanently. Note that bugs in other people’s software may still qualify in some cases. For example, if you find a bug in a browser that compromises security in Ripple and we can get it fixed by talking to the browser vendor, you may qualify for a bounty.

Unused

If you use the exploit to attack us first, you do not qualify for a bounty. If you report a vulnerability used in an ongoing or past attack and we have specific, concrete evidence that suggests you are the attacker, we reserve the right not to pay a bounty.

Conclusion

Our bug bounty programs are essential to our overall security strategy. We are grateful for the contributions of the security researchers community and are committed to addressing any security vulnerabilities reported to us.