Responsible Disclosure

Because security is of the highest importance at Trustfree Market, we are proud to offer a generous bug bounty program to reward whitehat hackers who would like to disclose security vulnerabilities instead of exploiting them.

We strive to expediently remediate vulnerabilities and notify affected customers, and we are grateful for your time and assistance in helping us better protect our clients and our systems.

If you believe you’ve discovered a bug in our security, please get in touch at security@trustfree.market. We request that you not publicly disclose the issue until it has been addressed.

At our sole discretion we will award the responsible party with an amount between $50.00 and $1,000.00 USD paid out in BTC.

Additionally, we will publish and give accredited attribution on this site for any individual who discloses to us a security vulnerability (if desired), we will never take legal action in regards to the report, and we will keep all relevant and personal information confidential.

Crowdcurity Passed


Realtime Security Disclosure

There have been no reported or discovered security vulnerabilities in 298 days, 2 hours, and 56 minutes.

Total Payouts: $370 USD in Bitcoin

Disclosure Report History

TitleReportedSeverityReporterVulnerabilityPayout (USD)RemediationDate Fixed
Full Comrpomise4/4/2021HIGHAdministratorThe entire server was hacked. Hacker seemed interested in using server for weird purposes. Over $100 of easily accessible bitcoin was not stolen. I could not keep him out, he managed to install some backdoor. He was coming from inside our internal host provider and would mess with my firewall and routing. He had database access to pbkdf2 salted passwords and emails. I played with him a few days trying to gather intel to prevent this in the future, but in the end...$0This forced us to do a full wipe. Regrettebly our database was not backed up properly so we have to start over. Sorry for the trouble. We have taken extra precautions against our internal provider's networking, and automated database backups, so this won't happen again.4/4/2021
3rd Party acccess to opening tabs10/21/2020LOWMuhammad HassamUsing target="_blank" on 3rd party links passed sensitive Javascript objects from the site that opened it.$30Adding rel="noopener" to third party links fixed the issue.10/25/2020
No Limits on Listing Creation6/28/2020LOW-HIGHTarun TandonIt was possible to created unlimited listings.$50Each user is now limited to 5 active listings.7/3/2020
No Limits on Transaction Closing6/27/2020LOW-MEDIUMAnonymousTransactions could be closed multiple times leading to email bombs from our notification service.$50Transactions can only be closed once, and email notifications will only be issued once.7/3/2020
Submission of Unlimited Feedback Ratings6/27/2020LOW-HIGHAnonymousMultiple ratings could be registered for a single escrow transaction.$50Only a single feedback rating can be applied to a completed escrow transaction.7/3/2020
No Limits on Purchase Request6/26/2020LOW-HIGHAnonymousBuyer could request purchase unlimited times, leading to interface pollution and email bombing.$50Buyers may now only request purchase of a single listing at a time resulting in only a single email notification.7/3/2020
Lack of DMARC record increases email forgability6/26/2020LOWTarun TandonAttackers are able to forge emails from the trustfree.market domain for SOME users using certain affected vulnerable email providers.$30A DMARC record was installed that instructs email providers to reject emails that do not pass strict security checks.7/3/2020
Authenticated Session Does not Expire6/26/2020VERY-LOWTarun TandonAuthenticaton cookies remained active after logging out. Severity is low because there is no attack vector to exploit this vulnerability.$10Authenticated user cookies are now invalidated when the user logs out or session expires.7/3/2020
Inproper Caching of Authenticated Pages6/25/2020MEDIUM-LOWAnonymousThe cache control setting on pages requiring authorization was incorrectly set, allowing sensitive pages to be viewed using the browser's back button after the user logged out.$100All pages which require authentication will now invalidate the cache, instructing the browser not to display the page if the user. Unauthenticated (public) pages will not have their cache invalidatd upon logout, so if you care about someone hitting back and seeing your balance, logout on an authenticated page.7/3/2020

The following are guidelines for our payout criteria:

$50

Minor security issues that may cause service disruption

This reward will be paid out to individuals who report vulnerabilities that could be used to disrupt service, corrupt listings, mislead users, or degrade the quality of our user experience.

$500

Moderate security issues that could result in lost money

This reward will be paid out to individuals who report vulnerabilities that could be exploited in a way that could cause users to lose funds.

$1000

High security issues involving lost funds or server compromise

This reward will be paid out to individuals who report vulnerabilities that allow full access to our server or database. Any exploit that would allow a user to steal funds or compromise the security of the bitcoins in escrow will qualify for this payout.

To be eligible you must complete the following:

  • Submit your findings to security@trustfree.market. (PGP coming soon)
  • Provide sufficient detail to reproduce the problem and identify the exact area of the issue, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data. If a vulnerability is public, please make sure it is discreet and does not identify us.
  • Do not reveal the problem to others until it has been resolved.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
  • We do not enforce password policies because we believe in letting users chose their own passwords appropriately since it's THEIR OWN security they are protecting. Additionally, this password is not the one protecting the funds (read the FAQ)