Tarsnap - Online backups for the truly paranoid

Navigation menu

Tarsnap Bug Bounty Recipients

Top bug-hunters

The following individuals have been awarded Tarsnap bug bounties:

Name Total value Number of bounties
Ralph Corderoy $1039 150
Taylor R Campbell $609 8
Tim Bishop $320 3
Kim Gwan Yeong $300 2
Rasmus Villemoes $256 39
Carlo Teubner $215 12
Eyal Itkin $200 2
Elamaran Venkatraman $200 1
Ryan Govostes $150 2
Benjamin Gilbert $148 8
Ariel Ben Yehuda $110 2
Anand H D $100 1
Ian Gallagher $100 1
Kyle George $100 1
Matthew Seaman $100 1
Ralph Smith $100 1
Tavis Ormandy $100 1
Peter Gijsels $89 36
Ross L Richardson $60 11
Peter Lloyd $60 3
Thomas Klausner $60 2
Tony Gies $60 2
Shachaf Ben-Kiki $50 22
Pedro Ribeiro $50 5
Richard Todd $50 1
Ted Unangst $45 5
Scott Newell $38 29
Sean Farrell $33 5
Tim van der Molen $30 3
Kyle Hubert $30 2
Brian St. Pierre $25 7
Ville Aine $21 3
Nick Hay $20 2
Anderson Lizardo $20 1
Finn Espen Gundersen $20 1
Merijn Verstraaten $20 1
Sami Farin $20 1
Jamie Landeg Jones $15 2
Michael Stevens $12 3
Dmitry Chestnykh $11 2
Håkon Hitland $10 1
Jeff Flowers $10 1
Michael Düll $10 1
Stephen Martin $10 1
Steve Richards $10 1
Jim Apple $7 7
Eitan Adler $5 5
Nathan Baum $5 1
Shannon Severance $5 1
Hasnain Lakhani $4 4
Eike Herzbach $3 3
Lars Balker Rasmussen $3 3
Christian Brueffer $2 2
Rory McNamara $2 2
Shawn Smith $2 2
Zachary Burt $2 2
Andrew Bradford $1 1
Austin Anderson $1 1
David Browne $1 1
Josh Holland $1 1
Levi Gross $1 1
Martin Koch Andersen $1 1
Matt Horan $1 1
Matthew Johnson $1 1
Nate Theis $1 1
Ross Chadwick $1 1
Russell Sutherland $1 1
Thordur Bjornsson $1 1
Anonymous (consolidated) $12 3

Major bugs

Name Value Fixed in Bug
Taylor R Campbell $500 1.0.28 AES CTR nonce bug

Minor bugs

Name Value Fixed in Bug
Kim Gwan Yeong $200 1.0.38 Double free if the config file has a line with >= 8192 chars
Tim Bishop $200 1.0.36 Crash with --dry-run but no --cachedir
Elamaran Venkatraman $200 n/a Email confirmation bypass
Eyal Itkin $100 1.0.39 Division-by-zero bug in scrypt decryption
Eyal Itkin $100 1.0.39 Overflow when reading a cpio archive with namelength of FFFFFFFF on 32-bit platforms
Kim Gwan Yeong $100 1.0.38 Access to freed memory / double-free during error exit path
Kyle George $100 1.0.38 Crash in libarchive subst.c code with tarsnap somespam -t
Ariel Ben Yehuda $100 1.0.36 One-byte path buffer overflow
Benjamin Gilbert $100 1.0.36 Tarsnap opens devices on linux
Matthew Seaman $100 1.0.36 Crash when first DNS lookup performed by tarsnap fails
Ryan Govostes $100 1.0.36 Crash when reading a validly signed corrupt archive
Tim Bishop $100 1.0.35 Crash in tarsnap 1.0.34 provoked by network failure
Anand H D $100 1.0.34 Crash when reading a corrupt key file on 64-bit platforms
Ralph Smith $100 1.0.32 Broken --nodump handling on Linux
Tavis Ormandy $100 1.0.31 Race condition in key file creation with weak umask
Ian Gallagher $100 n/a Missing HTML encoding in web interface
Taylor R Campbell $80 n/a Multiple bugs affecting scrypt out-of-directory builds
Rasmus Villemoes $50 1.0.40 Better check for the chunk directory file size
Ross L Richardson $50 1.0.38 Report an error for --configfile /no-such-file
Ryan Govostes $50 1.0.36 Incorrect error message format strings
Tony Gies $50 1.0.34 Terminal settings not restored on ^C during passphrase entry
Richard Todd $50 1.0.33 Incorrect handling of --newer on directories
Carlo Teubner $50 1.0.31 Possible tarsnap crash in @archive processing with truncated ISO
Carlo Teubner $50 1.0.30 Incorrect handling of ~ in tarsnap -s path substitutions
Carlo Teubner $50 1.0.30 Possible cachedir corruption if tarsnap is killed at the wrong time
Ralph Corderoy $50 1.0.30 Failure to parse base-16 values in mtree files
Ralph Corderoy $50 1.0.30 Incorrect overflow handling when parsing base-10 values in mtree files
Ralph Corderoy $50 1.0.30 Incorrect overflow handling when parsing base-16 values in mtree files
Ralph Corderoy $50 1.0.30 Missing handling of chdir errors when completing directory tree traversal
Ralph Corderoy $50 1.0.30 Tarsnap ships with unused parts of libarchive
Ralph Corderoy $50 1.0.30 UTF8-to-wchar_t conversion can walk past the end of a corrupt string
Ralph Corderoy $50 1.0.30 readdir failure can result in files/directories being silently not archived
Thomas Klausner $40 n/a Build breakage in scrypt with non-FreeBSD shells
Benjamin Gilbert $20 1.0.38 Incorrect include directory search order
Merijn Verstraaten $20 1.0.36 Build breakage with paths containing whitespace
Finn Espen Gundersen $20 1.0.34 Failure on systems with struct padding (e.g., ARM OABI)
Ralph Corderoy $20 1.0.30 Build breakage with out-of-directory builds
Ralph Corderoy $20 1.0.30 keygen/keyregen fails incorrectly with --machine ''
Kyle Hubert $20 n/a Build breakage in spiped and kivaloo
Shachaf Ben-Kiki $20 n/a Crash in spiped and kivaloo with argc == 0
Taylor R Campbell $20 n/a Build breakage in scrypt with out-of-directory builds

Harmless bugs

Name Total Value Number of bounties
Ralph Corderoy $560 56
Rasmus Villemoes $160 16
Peter Lloyd $60 3
Pedro Ribeiro $50 5
Carlo Teubner $40 4
Ted Unangst $40 4
Tim van der Molen $30 3
Benjamin Gilbert $20 2
Brian St. Pierre $20 2
Nick Hay $20 2
Ville Aine $20 2
Anderson Lizardo $20 1
Sami Farin $20 1
Sean Farrell $20 1
Thomas Klausner $20 1
Tim Bishop $20 1
Ariel Ben Yehuda $10 1
Dmitry Chestnykh $10 1
Håkon Hitland $10 1
Jamie Landeg Jones $10 1
Jeff Flowers $10 1
Kyle Hubert $10 1
Michael Düll $10 1
Michael Stevens $10 1
Peter Gijsels $10 1
Scott Newell $10 1
Shachaf Ben-Kiki $10 1
Stephen Martin $10 1
Steve Richards $10 1
Tony Gies $10 1
Anonymous (consolidated) $10 1

Cosmetic errors

Name Total Value Number of bounties
Ralph Corderoy $89 85
Peter Gijsels $79 35
Rasmus Villemoes $46 22
Scott Newell $28 28
Carlo Teubner $25 5
Shachaf Ben-Kiki $20 20
Sean Farrell $13 4
Ross L Richardson $10 10
Taylor R Campbell $9 5
Benjamin Gilbert $8 4
Jim Apple $7 7
Brian St. Pierre $5 5
Eitan Adler $5 5
Jamie Landeg Jones $5 1
Nathan Baum $5 1
Shannon Severance $5 1
Ted Unangst $5 1
Hasnain Lakhani $4 4
Eike Herzbach $3 3
Lars Balker Rasmussen $3 3
Christian Brueffer $2 2
Michael Stevens $2 2
Rory McNamara $2 2
Shawn Smith $2 2
Zachary Burt $2 2
Andrew Bradford $1 1
Austin Anderson $1 1
David Browne $1 1
Dmitry Chestnykh $1 1
Josh Holland $1 1
Levi Gross $1 1
Martin Koch Andersen $1 1
Matt Horan $1 1
Matthew Johnson $1 1
Nate Theis $1 1
Ross Chadwick $1 1
Russell Sutherland $1 1
Thordur Bjornsson $1 1
Ville Aine $1 1
Anonymous (consolidated) $2 2