Have they offered to hire you as a consultant or on a bounty to keep checking for bugs?
No. Their response to responsible disclosure is deeply belittling.
https://i.imgur.com/z8mW9DJ.pnga bounty to keep checking for bugs?
• You have to nag them to even pay out. Some of the reports I have made could have been leveraged to steal millions of dollars worth of Bitcoin directly from their users, such as
a plaintext websocket fallback in the wallet communication,
SSL not being enforced at all,
HSTS not being enforced, and a logical bypass for their Tor exit node blocking which amplified MITM attacks. The bounty for these bugs was lumped together at 1.9 BTC total, which I found to be astonishing low given their profile and the probable impact.
• Their security "team" does not know how to use GPG properly, when reporting an insanely critical bug that could still result in the thefts of Bitcoin they responded to a GPG encrypted email in plaintext acknowledging and quoting the security sensitive information.
• High risk bugs that affect the integrity of their service are told to be in scope, partially fixed, encouragement given and then all further reports are ignored for weeks. As it currently stands, the statement that if you use their browser extension or application you are safe from remote attack is completely false.
It is for these reasons I will
not be attempting to responsibly disclose bugs to blockchain.info in the future, and I do not suggest other researchers attempt it either.
