LocalBitcoins security contact and vulnerability reporting

LocalBitcoins recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilties.

Responsible Disclosure

Responsible disclosure includes

  1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  2. Making a good faith effort to not leak or destroy any LocalBitcoins user data.
  3. Not defrauding LocalBitcoins users or LocalBitcoins itself in the process of discovery.

In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Thank you for helping keep the bitcoin community safe!

Rewards

LocalBitcoins is willing to reward the security researchers for bug reports that help us to improve our security. However, the company reserves right to evaluate reported vulnerabilities, their relevance and risk level, and based on that, make the decision on possible reward.

Focus areas

We are especially interested and willing to reward for following type of vulnerabilities:

  • Stored and reflected XSS
  • RCE / command injections
  • SQL injections
  • XML injections / XXE
  • Serious data leakage vulnerabilities
  • CSRF or broken session management with exploitable PoC
  • SSRF
  • Authentication and authorization flaws

Findings that are non-rewardable

  • Error messages, stack traces
  • Lack of SPF records
  • Disclosure of used software versions
  • Misconfigured or lack of certain HTTP headers
  • Vulnerabilities that are not exploitable in modern browsers
  • Lack of Secure and HttpOnly flags in cookies, that are not considered sensitive
  • Username or email enumeration
  • DoS attacks or spamming

Reporting security issues

Security issues can be reported via email to [email protected]

Sensitive reports can be encrypted with following PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFrPW1oBEAClkdsMh5ceOxFlQOfgcENcY00GTKAatN8HDHbJFqRFpoLPxNUK
tyfdUfMzw9pnKDIG+myblygeFoReNiT+AKMQ3Jn5NYEgHDCJyrDtj1EBFHA0J0vr
mFIn+1BPB519Wcgs1boC0PkYgavSAQp6Vh1B8Dd4dgAopN/joUAHYmVXdj5O9Xn8
pPQsDv0n8+vJH4vvsP5Kq+ddLNFJBIeXnajtTzGhrznx2Y1EloZQ5sH33ADCUZGy
2QbuVdVS3P081FUCL1YD5CLBnOgKTKIC/gOvDS12uM54tRU8kKzbJXPwr9SKW9cT
GPpQbSnL6ke9kknIXV6taqa9BRD8rmxPb5rUGFMgy6gJPk7FGlZZpiSNgeFh6Lcq
Wkl9/DF0Dbf+n0jgdqgolaeTgrgF3A7AsDrfrkPKLYtAaZlP//0pKMLDdrJxeUnS
uTq4WLueWM50fTwOqNDGuM587lwxeKLxHYGKnEzxuFVv5rMWAmvp+mS1FKyGm2RA
cIU6DuciY5c4Utx+olbPbMt6zjWrVckkv4k/0mLsyV8qkTZnDc+3RQV4k7/2doug
ELBv/KwBVtECMyFp9oySkPuwIEI8N+fn8SQEuvg29KfwLQfWR4GoxOkU0kc0XiU1
I/Ntc+P8ESV+C+fdF3q+t/6Alc2P4/sWrs+XH0yU/y83W38AY7HrrNnluQARAQAB
tDhMb2NhbEJpdGNvaW5zIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QGxvY2FsYml0
Y29pbnMuY29tPokCVAQTAQgAPhYhBP7BTD6YOVyCEwGvNHu6gXvAPZxUBQJaz1ta
AhsjBQkJZgGABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHu6gXvAPZxUrLgP
/2scHFILwP5eXkAqW+FwrY7iDlb4fBnusCL9NE7tyQjLIeY3NN53uDbummv9BfGq
t71Viz2G7kZSiNgIf4S4gk/ibzTiPrSeV8T45hGBWewSNxoUpp2Lhg01meiENtsE
GhZOJwk1w6MHFULVLQBmUcjGlOOdhPjpMIHMXrwmv3aM2ufGRAN9h+D6l9OTUg8D
kBonB6uQFrC1Pf5aAW2i0ITAA5DRNElj3cXYhg4hFuFn3c2Oqe9OqzJt+kY6f2Gg
crCy2xKGZIPTKzo1SVgKiUDpWZRQkIBzcSCYl03ZW9m6UyhzD5/GsDr9Ki89XbHT
5BAMZ502UQfTrv24sXoUWuCKHxC2KN52QlhhggJXO00pCavm8ZMfYSLoHXQRzeKf
tsCqiAm6+u964sYilPOpjGfBD0z4NA5Q18vegMgTAVcIKDa9EHM+rGIPH4gfasMq
VHHqrLcBFasGVWdr2G8lC2Mb3u+eku/eUQXlv78vC7OfScrvhVJi99a3+lW44fSx
s3FyoMpHX5cRYgsGgP67sxIJbANDdqEkdGr6iUEvtyIb/5Gfyb7U25dmCgO2pPeH
bNRFOU2mrdtbcKS8UrlsiidKeBd+/D1gIVcwMXMd7PC7262HFp+xEmUlK2K0wmd0
VgS1CBA38kf4OmgfHj97TWbi7Imj/2Bth9Em5yLUm/4wuQINBFrPW1oBEADZLlUj
JW4ocpf3aOW7m5LIXr+o5LnLMfxmGNv0AeZ6KNdaVucjKVt3OO+eR8gzavYK/6c3
LCtYqtzCcfaIhDO/lSC4SMqTaPY6VmDmwooVzGCF+wfZuMekMCbf5MeyOfVEVA34
WevWUo/zeIxPZPl0H6HB3Aq0Q5txV0zVawbkT80svcy4e0V4oZ8fxTXLSyrroX4S
8Y/gvJ2bX6fqix0d8o01KkfLnNsrsb3AZU9TS0pZ8tX9lxlYb1GpYbj/6AWrpsjF
bukQRnruX3KH7WxEDvFWAXnxMGXRfypIAyfHTmLKsLUyV5UFcT8rg9klMntWazWg
Ho9UgN793iE6MI5cVLa/55nKncN/MS34ES0j2pRO9NP+5KBTwP78Q/dKl4g7w7KM
Ue5gM+F7CyNGsN06rbAuw6+uDr2YM9mCXgWnNT/LBjWtgjvBaiyADoUKaHMB8SnP
eg5Xerp6r01DJL8/2Tc2xiB6KOUGFU3nxiwVABMY/nIQ7rvloOY/tHJQprWvwCda
4Do9yjLkQmGoz+dNLtKfhpOmJdUdaw39defG2+f79KzATsPn07T96yUCVLw1s2bl
cexrgGr0O4QNi7T4pDekWmOL6tZD7l4SyKT70ab6V8F1IxbuftkxKQqhy3Z/WB6b
Ih4+1r2K9KDEvBeSuqyRyrh8JRLSfLB7YNydCwARAQABiQI8BBgBCAAmFiEE/sFM
Ppg5XIITAa80e7qBe8A9nFQFAlrPW1oCGwwFCQlmAYAACgkQe7qBe8A9nFRP9A//
ebaVuE6ExEbZLnLv8RCh2n8iKcenm23dLqBgQ0PjtT7O+kpgjG6gLs7HGlDAXt4S
aqaY1oZYS6nYEJaIs12g9HdMP3tfZ0VRqMV8H4b7hrEeyyycDe9dFyFLA1Abto2D
Ddrbjf5HTmqy7IbRey7A51aduTeulJqYDJnWLpMbTfKO8b5iIKsGwz9KYkcZLnHW
Ijvc3jWER1pogZsWcU8vespqkPNko5o5u4HSDKtXI9MlYJMpiEuV0wRMWutn5KEZ
SO71t9d/5eTEG8S4bqsg2+iAYm00nUZV5vgEPtX2k+B9A+7RQlqy9/ms5RVN9fG+
wElfTuuSYP+zcgPSczQqU+uMrTWLd3sBshcBeLpkSXhQxmvfhl+DIzsUZ6se5D/E
T2nR6M8tYYIU+Ha2bVq58/gH6rtE40LcjtGi+8ZSNVWTGxdh68THbY4UcTn4hPTt
lVFUCSzYhYiMflcumOmKgGXSocmkBqU0WnDyvzYoDEQgOofuF4jsTfEBYcOIc0fy
G2SUamt1CBnOlt5OnsYglE030PmmEF3ORWn4RRfnZ7IjHOb9LiSjgIekWUSuumC7
uqAWjtA8w2fZdmxkps+MjFawvkgNZO+MWIlJPMnefGpnfA0WuU1oI6QrhwNq8lDx
oV+fBwKADOEWJtR9y148i1nBSQLiaSjFCvKyU27tgxQ=
=sUms
-----END PGP PUBLIC KEY BLOCK-----
        

Hall of fame

LocalBitcoins credits the following people who have helped with the security:

Madhu Akula

Kesav Viswanath

Gopinath Madurai

Ahmed Jerbi

Sunil Modi

Syed Muhammad Asim