Tarsnap Bug Bounties

According to Linus' Law, "given enough eyeballs, all bugs are shallow". This is one of the reasons why the Tarsnap client source code is publicly available; but merely making the source code available doesn't accomplish anything if people don't bother to read it.

For this reason, Tarsnap has a series of bug bounties. Similar to the bounties offered by Mozilla and Google, the Tarsnap bug bounties provide an opportunity for people who find bugs to win cash. Unlike those bounties, the Tarsnap bug bounties aren't limited to security bugs. Depending on the type of bug and when it is reported, different bounties will be awarded:

Bounty value Pre-release bounty value Type of bug
$1000 $2000 A bug which allows someone intercepting Tarsnap traffic to decrypt Tarsnap users' data.
$500 $1000 A bug which allows the Tarsnap service to decrypt Tarsnap users' data.
$500 $1000 A bug which causes data corruption or loss.
$100 $200 A bug which causes Tarsnap to crash (without corrupting data or losing any data other than an archive currently being written).
$50 $100 Any other non-harmless bugs in Tarsnap.
$20 $40 Build breakage on a platform where a previous Tarsnap release worked.
$10 $20 "Harmless" bugs, e.g., cosmetic errors in Tarsnap output or mistakes in source code comments.
$5 $10 A patch which significantly improves the clarity of source code (e.g., by refactoring), source code comments (e.g., by rewording or adding text to clarify something), or documentation. (Merely pointing to something and saying "this is unclear" does not qualify; you must provide the improvement.)
$1 $2 Cosmetic errors in the Tarsnap source code or website, e.g., typos in website text or source code comments. Style errors in Tarsnap code qualify here, but usually not style errors in upstream code (e.g., libarchive).

The pre-release bounty value will be awarded for bugs reported in the interval between when a new Tarsnap release is sent to the tarsnap-alphatest@tarsnap.com mailing list and when it is announced via the tarsnap-announce@tarsnap.com mailing list (this will usually be one week) which were introduced in the new release (i.e., for bugs which are corrected before they get into an announced release).

In addition to the Tarsnap source code, bug bounties will be awarded for bugs found in scrypt, kivaloo, and spiped. Please note that, with the exception of $1 cosmetic errors, these bounties do not apply to the Tarsnap website; in particular, please do not run automated vulnerability scanners against the Tarsnap website — they're annoying and don't produce useful bug reports.

Think you've found a bug? Contact the author (preferably using his GPG key if you think your bug might have security implications). Please put the words "bug bounty" into the subject line of your email.

Past Tarsnap bug bounty recipients are listed here. When reporting a bug, please mention if you would like to remain anonymous.

The fine print

  1. Bounties of under $100 will be awarded as Tarsnap account credits. Bounties of $100 or more will be awarded as Tarsnap account credits or via US dollar cheque depending upon the recipient's preference.
  2. A bounty will only be awarded to the first person who reports a bug, unless two or more people report the same bug at approximately the same time, in which case the bounty might be split between them.
  3. If the same bug appears in multiple files (e.g., when a function is declared in a .h file and when it is implemented in a .c file) it will normally only receive a single bounty.
  4. Reports of security-related bugs are not eligible for bounties if the bugs are publicly disclosed prior to being fixed.
  5. Only the discoverer of a bug is eligible for the associated bounty. (In particular, I'm not going to award bounties to people who just read libarchive commits and forward me bug fixes from there.)
  6. Bounties will not be awarded if it is illegal to do so. Residents of Iran, North Korea, Myanmar, Syria, etc... you know the drill.
  7. The classification of bugs, values of bounties, and conditions under which bounties are paid are subject to change without notice.
  8. Tarsnap Backup Inc. has sole discretion to determine whether a bug report qualifies for a bounty and for which bounty it qualifies.