select market

BTC / EUR 58.499,55
Last price (BTC)
24h volume
Javascript is required to use BL3P. Please turn it on or add an exception
Your browser version is outdated. We have decided to spend our time on making Bl3p better, instead of wasting it on compatibility for ancient browsers. Please install Chrome frame if you wish to continue on your current browser, or consider installing Firefox or Chrome.

Reporting security issues

If you discover a problem or a vulnerability in our systems, we would appreciate it if you share this information with us (as soon as possible). Security errors will be rewarded with a sum of bitcoins or a mention on the " wall of fame ". The height of the reward depends on the impact of the error but can be up to a maximum of 5 BTC. You can count on a reward if you're the first one who alerts a security issue and if this results in a change in the code or configuration. Some examples of security errors include:

Eligible security problems
For example:
  • Cross Site Scripting (XSS)
  • SQL-injection
  • Encryption issues
Issues not to report

Some security errors are not eligible for a reward because they have a low impact on security. The following type of security errors are some examples. Please don't mention such flaws unless a combination of errors can lead to a security issue with a greater impact.

  • General error messages regarding application or server errors.
  • HTTP 404 and other non HTTP 200 error codes
  • Accessibility of public files and folders (like robots.txt)
  • CSRF-issues on parts of the site that are available to anonymous visitors
  • CSRF-issues without (critical) consequences for users
  • Trace HTTP functions that may be active
  • SSL attacks like BEAST, BREACH, Renegotiation
  • SSL Forward secrecy unused
  • Anti-MIME-Sniffing header X-Content-Type-functions
  • Missing HTTP security headers
  • Presence of HTTPS Mixed Content Scripts / errors
  • SPF Record settings

In addition, we apply the following rules:

  • Don't apply any damage during your investigation
  • Don't use social engineering techniques to gain access to our systems
  • Don't publish company or customer data
  • Don't share gained access with others in case you successfully penetrated the system
  • Don't make any changes in the system
  • Don't copy more information than your investigation requires
  • Don't use brute-force techniques
  • Don’t use techniques that can influence the availability of our services

Security Issues can be emailed to: Please clearly describe the problem that you found and the steps to take to reproduce it. Add attachments like screenshots or data dumps to clarify the issue if possible. After receiving the notice, we will send an acknowledgment as soon as possible. We need some time to study and assess the report. After a maximum of three working days you will receive a first substantive response.

Hall of fame

We thank the bug-hunters listed below for their efforts to make BL3P more secure. They have also received a bounty.

Hamid Ashraf @hamihax After changing account email, old password reset link stays valid The link expires autamatically after one hour
Harsha Vardhan Redirect after CSRF error could take user back to attacker
Old password reset links stays valid after reset Link is only available to user, timeout after 1 hour
Logging out did not clear browser cache
CSRF token at security not checked correctly If a user had security TFA disabled, an attacker could trick the user into disabling login TFA as well
Upload of malicious image files could overload verification server
James A. Old sessions remain valid after password change
Sahil S. XSS vulnerability in verification system A bug in the localization system could in some cases display unfiltered user input
Insecure session cookie Sessions are IP-locked
Elyesa (Matthew) in der Maur TOTP code could be reused in other session Only for same user
Confirmation link not locked to changed setting
Logout on BL3P did not instantly end session on verification server
Clickjacking defense in BVS not functioning for partial content
Possible name exposure via account restore
Email spam possible with email change confirmation links
XSS in some cases possible via email
Could change account email to existing value
Server side validation of withdrawal bank account broken
Mandeep Jadon Consecutive confirmation link requests did not invalidate former requests
Confirmation links were unjustly reported as being IP-locked.
Krishna Manoj Vandavasi Input validation in verification system insufficient Could lead to higher spam rating for mails from when entering malicious URLS
Jay K PatelAccount email was not validated properly on change
Ahmad Shuja Some weak passwords were not denied
Jochem Kuijpers Configuration entries shown in JSON output