Tarsnap Bug Bounty Recipients
Top bug-hunters
The following individuals have been awarded Tarsnap bug bounties:
Name | Total value | Number of bounties |
Ralph Corderoy | $1039 | 150 |
Taylor R Campbell | $609 | 8 |
Tim Bishop | $320 | 3 |
Kim Gwan Yeong | $300 | 2 |
Rasmus Villemoes | $256 | 39 |
Carlo Teubner | $215 | 12 |
Eyal Itkin | $200 | 2 |
Elamaran Venkatraman | $200 | 1 |
Ryan Govostes | $150 | 2 |
Benjamin Gilbert | $148 | 8 |
Ariel Ben Yehuda | $110 | 2 |
Anand H D | $100 | 1 |
Ian Gallagher | $100 | 1 |
Kyle George | $100 | 1 |
Matthew Seaman | $100 | 1 |
Ralph Smith | $100 | 1 |
Tavis Ormandy | $100 | 1 |
Peter Gijsels | $89 | 36 |
Ross L Richardson | $60 | 11 |
Peter Lloyd | $60 | 3 |
Thomas Klausner | $60 | 2 |
Tony Gies | $60 | 2 |
Shachaf Ben-Kiki | $50 | 22 |
Pedro Ribeiro | $50 | 5 |
Richard Todd | $50 | 1 |
Ted Unangst | $45 | 5 |
Scott Newell | $38 | 29 |
Sean Farrell | $33 | 5 |
Tim van der Molen | $30 | 3 |
Kyle Hubert | $30 | 2 |
Brian St. Pierre | $25 | 7 |
Ville Aine | $21 | 3 |
Nick Hay | $20 | 2 |
Anderson Lizardo | $20 | 1 |
Finn Espen Gundersen | $20 | 1 |
Merijn Verstraaten | $20 | 1 |
Sami Farin | $20 | 1 |
Jamie Landeg Jones | $15 | 2 |
Michael Stevens | $12 | 3 |
Dmitry Chestnykh | $11 | 2 |
Håkon Hitland | $10 | 1 |
Jeff Flowers | $10 | 1 |
Michael Düll | $10 | 1 |
Stephen Martin | $10 | 1 |
Steve Richards | $10 | 1 |
Jim Apple | $7 | 7 |
Eitan Adler | $5 | 5 |
Nathan Baum | $5 | 1 |
Shannon Severance | $5 | 1 |
Hasnain Lakhani | $4 | 4 |
Eike Herzbach | $3 | 3 |
Lars Balker Rasmussen | $3 | 3 |
Christian Brueffer | $2 | 2 |
Rory McNamara | $2 | 2 |
Shawn Smith | $2 | 2 |
Zachary Burt | $2 | 2 |
Andrew Bradford | $1 | 1 |
Austin Anderson | $1 | 1 |
David Browne | $1 | 1 |
Josh Holland | $1 | 1 |
Levi Gross | $1 | 1 |
Martin Koch Andersen | $1 | 1 |
Matt Horan | $1 | 1 |
Matthew Johnson | $1 | 1 |
Nate Theis | $1 | 1 |
Ross Chadwick | $1 | 1 |
Russell Sutherland | $1 | 1 |
Thordur Bjornsson | $1 | 1 |
Anonymous (consolidated) | $12 | 3 |
Major bugs
Name | Value | Fixed in | Bug |
Taylor R Campbell | $500 | 1.0.28 | AES CTR nonce bug |
Minor bugs
Name | Value | Fixed in | Bug |
Kim Gwan Yeong | $200 | 1.0.38 | Double free if the config file has a line with >= 8192 chars |
Tim Bishop | $200 | 1.0.36 | Crash with --dry-run but no --cachedir |
Elamaran Venkatraman | $200 | n/a | Email confirmation bypass |
Eyal Itkin | $100 | 1.0.39 | Division-by-zero bug in scrypt decryption |
Eyal Itkin | $100 | 1.0.39 | Overflow when reading a cpio archive with namelength of FFFFFFFF on 32-bit platforms |
Kim Gwan Yeong | $100 | 1.0.38 | Access to freed memory / double-free during error exit path |
Kyle George | $100 | 1.0.38 | Crash in libarchive subst.c code with tarsnap somespam -t |
Ariel Ben Yehuda | $100 | 1.0.36 | One-byte path buffer overflow |
Benjamin Gilbert | $100 | 1.0.36 | Tarsnap opens devices on linux |
Matthew Seaman | $100 | 1.0.36 | Crash when first DNS lookup performed by tarsnap fails |
Ryan Govostes | $100 | 1.0.36 | Crash when reading a validly signed corrupt archive |
Tim Bishop | $100 | 1.0.35 | Crash in tarsnap 1.0.34 provoked by network failure |
Anand H D | $100 | 1.0.34 | Crash when reading a corrupt key file on 64-bit platforms |
Ralph Smith | $100 | 1.0.32 | Broken --nodump handling on Linux |
Tavis Ormandy | $100 | 1.0.31 | Race condition in key file creation with weak umask |
Ian Gallagher | $100 | n/a | Missing HTML encoding in web interface |
Taylor R Campbell | $80 | n/a | Multiple bugs affecting scrypt out-of-directory builds |
Rasmus Villemoes | $50 | 1.0.40 | Better check for the chunk directory file size |
Ross L Richardson | $50 | 1.0.38 | Report an error for --configfile /no-such-file |
Ryan Govostes | $50 | 1.0.36 | Incorrect error message format strings |
Tony Gies | $50 | 1.0.34 | Terminal settings not restored on ^C during passphrase entry |
Richard Todd | $50 | 1.0.33 | Incorrect handling of --newer on directories |
Carlo Teubner | $50 | 1.0.31 | Possible tarsnap crash in @archive processing with truncated ISO |
Carlo Teubner | $50 | 1.0.30 | Incorrect handling of ~ in tarsnap -s path substitutions |
Carlo Teubner | $50 | 1.0.30 | Possible cachedir corruption if tarsnap is killed at the wrong time |
Ralph Corderoy | $50 | 1.0.30 | Failure to parse base-16 values in mtree files |
Ralph Corderoy | $50 | 1.0.30 | Incorrect overflow handling when parsing base-10 values in mtree files |
Ralph Corderoy | $50 | 1.0.30 | Incorrect overflow handling when parsing base-16 values in mtree files |
Ralph Corderoy | $50 | 1.0.30 | Missing handling of chdir errors when completing directory tree traversal |
Ralph Corderoy | $50 | 1.0.30 | Tarsnap ships with unused parts of libarchive |
Ralph Corderoy | $50 | 1.0.30 | UTF8-to-wchar_t conversion can walk past the end of a corrupt string |
Ralph Corderoy | $50 | 1.0.30 | readdir failure can result in files/directories being silently not archived |
Thomas Klausner | $40 | n/a | Build breakage in scrypt with non-FreeBSD shells |
Benjamin Gilbert | $20 | 1.0.38 | Incorrect include directory search order |
Merijn Verstraaten | $20 | 1.0.36 | Build breakage with paths containing whitespace |
Finn Espen Gundersen | $20 | 1.0.34 | Failure on systems with struct padding (e.g., ARM OABI) |
Ralph Corderoy | $20 | 1.0.30 | Build breakage with out-of-directory builds |
Ralph Corderoy | $20 | 1.0.30 | keygen/keyregen fails incorrectly with --machine '' |
Kyle Hubert | $20 | n/a | Build breakage in spiped and kivaloo |
Shachaf Ben-Kiki | $20 | n/a | Crash in spiped and kivaloo with argc == 0 |
Taylor R Campbell | $20 | n/a | Build breakage in scrypt with out-of-directory builds |
Harmless bugs
Name | Total Value | Number of bounties |
Ralph Corderoy | $560 | 56 |
Rasmus Villemoes | $160 | 16 |
Peter Lloyd | $60 | 3 |
Pedro Ribeiro | $50 | 5 |
Carlo Teubner | $40 | 4 |
Ted Unangst | $40 | 4 |
Tim van der Molen | $30 | 3 |
Benjamin Gilbert | $20 | 2 |
Brian St. Pierre | $20 | 2 |
Nick Hay | $20 | 2 |
Ville Aine | $20 | 2 |
Anderson Lizardo | $20 | 1 |
Sami Farin | $20 | 1 |
Sean Farrell | $20 | 1 |
Thomas Klausner | $20 | 1 |
Tim Bishop | $20 | 1 |
Ariel Ben Yehuda | $10 | 1 |
Dmitry Chestnykh | $10 | 1 |
Håkon Hitland | $10 | 1 |
Jamie Landeg Jones | $10 | 1 |
Jeff Flowers | $10 | 1 |
Kyle Hubert | $10 | 1 |
Michael Düll | $10 | 1 |
Michael Stevens | $10 | 1 |
Peter Gijsels | $10 | 1 |
Scott Newell | $10 | 1 |
Shachaf Ben-Kiki | $10 | 1 |
Stephen Martin | $10 | 1 |
Steve Richards | $10 | 1 |
Tony Gies | $10 | 1 |
Anonymous (consolidated) | $10 | 1 |
Cosmetic errors
Name | Total Value | Number of bounties |
Ralph Corderoy | $89 | 85 |
Peter Gijsels | $79 | 35 |
Rasmus Villemoes | $46 | 22 |
Scott Newell | $28 | 28 |
Carlo Teubner | $25 | 5 |
Shachaf Ben-Kiki | $20 | 20 |
Sean Farrell | $13 | 4 |
Ross L Richardson | $10 | 10 |
Taylor R Campbell | $9 | 5 |
Benjamin Gilbert | $8 | 4 |
Jim Apple | $7 | 7 |
Brian St. Pierre | $5 | 5 |
Eitan Adler | $5 | 5 |
Jamie Landeg Jones | $5 | 1 |
Nathan Baum | $5 | 1 |
Shannon Severance | $5 | 1 |
Ted Unangst | $5 | 1 |
Hasnain Lakhani | $4 | 4 |
Eike Herzbach | $3 | 3 |
Lars Balker Rasmussen | $3 | 3 |
Christian Brueffer | $2 | 2 |
Michael Stevens | $2 | 2 |
Rory McNamara | $2 | 2 |
Shawn Smith | $2 | 2 |
Zachary Burt | $2 | 2 |
Andrew Bradford | $1 | 1 |
Austin Anderson | $1 | 1 |
David Browne | $1 | 1 |
Dmitry Chestnykh | $1 | 1 |
Josh Holland | $1 | 1 |
Levi Gross | $1 | 1 |
Martin Koch Andersen | $1 | 1 |
Matt Horan | $1 | 1 |
Matthew Johnson | $1 | 1 |
Nate Theis | $1 | 1 |
Ross Chadwick | $1 | 1 |
Russell Sutherland | $1 | 1 |
Thordur Bjornsson | $1 | 1 |
Ville Aine | $1 | 1 |
Anonymous (consolidated) | $2 | 2 |