Tarsnap Bug Bounty Recipients
Top bug-hunters
The following individuals have been awarded Tarsnap bug bounties:
| Name | Total value | Number of bounties |
| Ralph Corderoy | $1039 | 150 |
| Boris Alexeev | $1000 | 1 |
| Yan X Zhang | $1000 | 1 |
| Taylor R Campbell | $609 | 8 |
| Tim Bishop | $320 | 3 |
| Kim Gwan Yeong | $300 | 2 |
| Rasmus Villemoes | $256 | 39 |
| Carlo Teubner | $215 | 12 |
| Eyal Itkin | $200 | 2 |
| Elamaran Venkatraman | $200 | 1 |
| Benjamin Gilbert | $178 | 11 |
| Ryan Govostes | $150 | 2 |
| Ariel Ben Yehuda | $110 | 2 |
| Anand H D | $100 | 1 |
| Ian Gallagher | $100 | 1 |
| Kyle George | $100 | 1 |
| Matthew Seaman | $100 | 1 |
| Ralph Smith | $100 | 1 |
| Tavis Ormandy | $100 | 1 |
| Peter Gijsels | $89 | 36 |
| Thomas Klausner | $80 | 3 |
| Ross L Richardson | $60 | 11 |
| Peter Lloyd | $60 | 3 |
| Tony Gies | $60 | 2 |
| Shachaf Ben-Kiki | $50 | 22 |
| Pedro Ribeiro | $50 | 5 |
| Richard Todd | $50 | 1 |
| Ted Unangst | $45 | 5 |
| Scott Newell | $38 | 29 |
| Sean Farrell | $33 | 5 |
| Tim van der Molen | $30 | 3 |
| Kyle Hubert | $30 | 2 |
| Brian St. Pierre | $25 | 7 |
| Ville Aine | $21 | 3 |
| Nick Hay | $20 | 2 |
| Anderson Lizardo | $20 | 1 |
| Finn Espen Gundersen | $20 | 1 |
| Merijn Verstraaten | $20 | 1 |
| Sami Farin | $20 | 1 |
| Jamie Landeg Jones | $15 | 2 |
| Michael Stevens | $12 | 3 |
| Dmitry Chestnykh | $11 | 2 |
| Håkon Hitland | $10 | 1 |
| Jeff Flowers | $10 | 1 |
| Michael Düll | $10 | 1 |
| Stephen Martin | $10 | 1 |
| Steve Richards | $10 | 1 |
| Jim Apple | $7 | 7 |
| Eitan Adler | $5 | 5 |
| Nathan Baum | $5 | 1 |
| Shannon Severance | $5 | 1 |
| Hasnain Lakhani | $4 | 4 |
| Eike Herzbach | $3 | 3 |
| Lars Balker Rasmussen | $3 | 3 |
| Christian Brueffer | $2 | 2 |
| Rory McNamara | $2 | 2 |
| Shawn Smith | $2 | 2 |
| Zachary Burt | $2 | 2 |
| Andrew Bradford | $1 | 1 |
| Austin Anderson | $1 | 1 |
| David Browne | $1 | 1 |
| Josh Holland | $1 | 1 |
| Levi Gross | $1 | 1 |
| Martin Koch Andersen | $1 | 1 |
| Matt Horan | $1 | 1 |
| Matthew Johnson | $1 | 1 |
| Nate Theis | $1 | 1 |
| Ross Chadwick | $1 | 1 |
| Russell Sutherland | $1 | 1 |
| Thordur Bjornsson | $1 | 1 |
| Anonymous (consolidated) | $20 | 11 |
Major bugs
| Name | Value | Fixed in | Bug |
| Boris Alexeev | $1000 | 1.0.41 | Chunking Attacks on File Backup Services using Content-Defined Chunking |
| Yan X Zhang | $1000 | 1.0.41 | Chunking Attacks on File Backup Services using Content-Defined Chunking |
| Taylor R Campbell | $500 | 1.0.28 | AES CTR nonce bug |
Minor bugs
| Name | Value | Fixed in | Bug |
| Kim Gwan Yeong | $200 | 1.0.38 | Double free if the config file has a line with >= 8192 chars |
| Tim Bishop | $200 | 1.0.36 | Crash with --dry-run but no --cachedir |
| Elamaran Venkatraman | $200 | n/a | Email confirmation bypass |
| Eyal Itkin | $100 | 1.0.39 | Division-by-zero bug in scrypt decryption |
| Eyal Itkin | $100 | 1.0.39 | Overflow when reading a cpio archive with namelength of FFFFFFFF on 32-bit platforms |
| Kim Gwan Yeong | $100 | 1.0.38 | Access to freed memory / double-free during error exit path |
| Kyle George | $100 | 1.0.38 | Crash in libarchive subst.c code with tarsnap somespam -t |
| Ariel Ben Yehuda | $100 | 1.0.36 | One-byte path buffer overflow |
| Benjamin Gilbert | $100 | 1.0.36 | Tarsnap opens devices on linux |
| Matthew Seaman | $100 | 1.0.36 | Crash when first DNS lookup performed by tarsnap fails |
| Ryan Govostes | $100 | 1.0.36 | Crash when reading a validly signed corrupt archive |
| Tim Bishop | $100 | 1.0.35 | Crash in tarsnap 1.0.34 provoked by network failure |
| Anand H D | $100 | 1.0.34 | Crash when reading a corrupt key file on 64-bit platforms |
| Ralph Smith | $100 | 1.0.32 | Broken --nodump handling on Linux |
| Tavis Ormandy | $100 | 1.0.31 | Race condition in key file creation with weak umask |
| Ian Gallagher | $100 | n/a | Missing HTML encoding in web interface |
| Taylor R Campbell | $80 | n/a | Multiple bugs affecting scrypt out-of-directory builds |
| Rasmus Villemoes | $50 | 1.0.40 | Better check for the chunk directory file size |
| Ross L Richardson | $50 | 1.0.38 | Report an error for --configfile /no-such-file |
| Ryan Govostes | $50 | 1.0.36 | Incorrect error message format strings |
| Tony Gies | $50 | 1.0.34 | Terminal settings not restored on ^C during passphrase entry |
| Richard Todd | $50 | 1.0.33 | Incorrect handling of --newer on directories |
| Carlo Teubner | $50 | 1.0.31 | Possible tarsnap crash in @archive processing with truncated ISO |
| Carlo Teubner | $50 | 1.0.30 | Incorrect handling of ~ in tarsnap -s path substitutions |
| Carlo Teubner | $50 | 1.0.30 | Possible cachedir corruption if tarsnap is killed at the wrong time |
| Ralph Corderoy | $50 | 1.0.30 | Failure to parse base-16 values in mtree files |
| Ralph Corderoy | $50 | 1.0.30 | Incorrect overflow handling when parsing base-10 values in mtree files |
| Ralph Corderoy | $50 | 1.0.30 | Incorrect overflow handling when parsing base-16 values in mtree files |
| Ralph Corderoy | $50 | 1.0.30 | Missing handling of chdir errors when completing directory tree traversal |
| Ralph Corderoy | $50 | 1.0.30 | Tarsnap ships with unused parts of libarchive |
| Ralph Corderoy | $50 | 1.0.30 | UTF8-to-wchar_t conversion can walk past the end of a corrupt string |
| Ralph Corderoy | $50 | 1.0.30 | readdir failure can result in files/directories being silently not archived |
| Thomas Klausner | $40 | n/a | Build breakage in scrypt with non-FreeBSD shells |
| Benjamin Gilbert | $20 | 1.0.38 | Incorrect include directory search order |
| Merijn Verstraaten | $20 | 1.0.36 | Build breakage with paths containing whitespace |
| Finn Espen Gundersen | $20 | 1.0.34 | Failure on systems with struct padding (e.g., ARM OABI) |
| Ralph Corderoy | $20 | 1.0.30 | Build breakage with out-of-directory builds |
| Ralph Corderoy | $20 | 1.0.30 | keygen/keyregen fails incorrectly with --machine '' |
| Kyle Hubert | $20 | n/a | Build breakage in spiped and kivaloo |
| Shachaf Ben-Kiki | $20 | n/a | Crash in spiped and kivaloo with argc == 0 |
| Taylor R Campbell | $20 | n/a | Build breakage in scrypt with out-of-directory builds |
Harmless bugs
| Name | Total Value | Number of bounties |
| Ralph Corderoy | $560 | 56 |
| Rasmus Villemoes | $160 | 16 |
| Peter Lloyd | $60 | 3 |
| Benjamin Gilbert | $50 | 5 |
| Pedro Ribeiro | $50 | 5 |
| Carlo Teubner | $40 | 4 |
| Ted Unangst | $40 | 4 |
| Thomas Klausner | $40 | 2 |
| Tim van der Molen | $30 | 3 |
| Brian St. Pierre | $20 | 2 |
| Nick Hay | $20 | 2 |
| Ville Aine | $20 | 2 |
| Anderson Lizardo | $20 | 1 |
| Sami Farin | $20 | 1 |
| Sean Farrell | $20 | 1 |
| Tim Bishop | $20 | 1 |
| Ariel Ben Yehuda | $10 | 1 |
| Dmitry Chestnykh | $10 | 1 |
| Håkon Hitland | $10 | 1 |
| Jamie Landeg Jones | $10 | 1 |
| Jeff Flowers | $10 | 1 |
| Kyle Hubert | $10 | 1 |
| Michael Düll | $10 | 1 |
| Michael Stevens | $10 | 1 |
| Peter Gijsels | $10 | 1 |
| Scott Newell | $10 | 1 |
| Shachaf Ben-Kiki | $10 | 1 |
| Stephen Martin | $10 | 1 |
| Steve Richards | $10 | 1 |
| Tony Gies | $10 | 1 |
| Anonymous (consolidated) | $10 | 1 |
Cosmetic errors
| Name | Total Value | Number of bounties |
| Ralph Corderoy | $89 | 85 |
| Peter Gijsels | $79 | 35 |
| Rasmus Villemoes | $46 | 22 |
| Scott Newell | $28 | 28 |
| Carlo Teubner | $25 | 5 |
| Shachaf Ben-Kiki | $20 | 20 |
| Sean Farrell | $13 | 4 |
| Ross L Richardson | $10 | 10 |
| Taylor R Campbell | $9 | 5 |
| Benjamin Gilbert | $8 | 4 |
| Jim Apple | $7 | 7 |
| Brian St. Pierre | $5 | 5 |
| Eitan Adler | $5 | 5 |
| Jamie Landeg Jones | $5 | 1 |
| Nathan Baum | $5 | 1 |
| Shannon Severance | $5 | 1 |
| Ted Unangst | $5 | 1 |
| Hasnain Lakhani | $4 | 4 |
| Eike Herzbach | $3 | 3 |
| Lars Balker Rasmussen | $3 | 3 |
| Christian Brueffer | $2 | 2 |
| Michael Stevens | $2 | 2 |
| Rory McNamara | $2 | 2 |
| Shawn Smith | $2 | 2 |
| Zachary Burt | $2 | 2 |
| Andrew Bradford | $1 | 1 |
| Austin Anderson | $1 | 1 |
| David Browne | $1 | 1 |
| Dmitry Chestnykh | $1 | 1 |
| Josh Holland | $1 | 1 |
| Levi Gross | $1 | 1 |
| Martin Koch Andersen | $1 | 1 |
| Matt Horan | $1 | 1 |
| Matthew Johnson | $1 | 1 |
| Nate Theis | $1 | 1 |
| Ross Chadwick | $1 | 1 |
| Russell Sutherland | $1 | 1 |
| Thordur Bjornsson | $1 | 1 |
| Ville Aine | $1 | 1 |
| Anonymous (consolidated) | $10 | 10 |