Walltime Bug Bounty Program

Table of Contents

1 Overview

While Walltime works very hard & continuously to ensure the security of our platform, we understand that we might miss something.

Because of this Waltime established its public Bug Bounty program so that it can work together with security researchers worldwide in making sure our platform is secure. If you think you have found a security issue in one of our offerings we would like you to get in touch with us.

We commit to a serious effort in dealing with any potential or confirmed security issues as quickly as feasible.


  • Do your best to give priority to performing your security research in our testnet environment instead of our production environment - you can negotiate real testnet Bitcoins in our testnet environment https://walltime.info/testnet/index_pt.html#!login - if it is down / you have any issues with it, you want approval for a fake BRL deposit or want to perform a fake BRL withdrawal just reach out to our 24x7 support team.
  • Do not disclose your findings to any third party until we confirm that mitigation is in place;
  • Try to involve only accounts you own or to which you have explicit permission from the account holder in your tests/probes;
  • Stop if you feel you might be causing issues for third-parties/unrelated users (accidental denial-of-service), specially if you are working against the production environment (shutting down our testnet environment is ok, just let us know so we can put it back up asap!);
  • Get in touch with us if you plan on spending a lot of time/energy testing our platform. We might be able to assist / work close with you.

2 Scope

Only what is under walltime.info domain, it NOT include subdomains like support.walltime.info, cold.walltime.info etc. You can still report any bug in our subdomains, but probably will not be rewarded. The exceptions are when subdomains bugs could seriously affect Walltime main platform.

3 How to get in touch

Please send an encrypted (use GPG) email to security@walltime.info. Our key fingerprint is 075B2D250272664C79F4ED2FDE0DD747C1D77FE9 & our full key is also available under https://walltime.info/gpg.txt . Use English or Portuguese and please make sure you include information to allow us to securely get back in touch with you (riot.im handles, Signal/WhatsApp/Telegram Phone Numbers or a GPG key can all help with that).

If you feel there is urgency to your request - please reach out to our 24x7 support team and mention that a security issue has been reported (please do not provide any further details through regular support channels), and they will make sure the right people within Walltime are immediately notified.

4 Response Targets, Disclosure & Wall of Fame

Time to a first response - while we will do our best to contact you in the same day the potential vulnerability was reported, we commit to always contacting you within the first 3 days.

Time to resolution: 60 days maximum. For any major issues we endeavor to issue a resolution much more prompty than that. Time to bounty - mitigation/resolution + 5 days.

Public disclosure - feel free to go public with details of the vulnerability immediately after we confirm that mitigation/resolution is in place.

For serious vulnerabilities, please let us know if you would like to be listed in our Wall of Fame once it is in place.

5 Rewards and Payouts

Payouts will generally be in Bitcoin. The current maximum payout for reporting a critical vulnerability (i.e.: access to our testnet or production hot wallet, ability to move funds without authentication or something similarly serious) is the eqv of US$ 10,000.00 in BTC.

The first (and only the first) reporter of a given security issue will be rewarded. Monetary amounts will be awarded after a careful evaluation on a case-by-case basis - it is definitely in our best interests to establish a great reputation with security researchers, and thus you can count on us to be fair with bounties.

6 What not to do

There are a few things that this program does not cover because activities related to them can harm our operations without substantial upside in security. So while researching please do not perform any of:

  • Phishing and social engineering of Walltime staff, service providers or contractors.
  • DOS / DDOS / denial of service attacks in general;
  • Spamming;
  • Physical attacks of any kind against Walltime property;

7 What to submit

Please make sure you include clear steps to reproduce the issue along with screenshots/code/logs.

8 Other information

Walltime may modify, pause or cancel the Bug Bounty Program at any time. Please check back this page often for updates.

Author: Walltime

Created: 2019-08-07 qua 02:39