My apologies for the delayed update. Since my last update we have paid out 4 bounties to researchers who have responsibly and discretely reported issues to us. 0.5 Dash was paid to a researcher who alerted us to a git repository that was publicly exposed on the dash.org domain, which could be hacked in a way that exposed credentials to access a MySQL database. This was a minor issue since the MySQL database in question did not contain sensitive information that was not salted/hashed. Nonetheless, it is concerning when credentials are exposed. Initially the researcher reported this issue through the Bugcrowd platform, which we received as information-only since the dash.org domain falls outside of the scope of the Bugcrowd program. The researcher followed up with additional information reported directly to the Core Team via email [email protected]. This led to closer examination of the issue and corrective action. 0.5 Dash was paid to a researcher who discovered a bug in a CRM package that was being used on the dash.org domain, which exposed a MySQL database. Like the above issue, this was minor because the no sensitive data could be obtained from the database. The CRM package has been disabled. 0.75 Dash was paid to a researcher who reported that we were running an out-of-date version of the Bamboo deployment server, which contained a vulnerability that could compromise Dash binaries. The solution was simply to update the server software. The above bounties involved only support systems for the Dash Core Team, and did not involve the Dash protocol or wallet software. On January 17th the Dash Copay wallet for Android, testnet, was added to the Bugcrowd bounty program. Initially the program is launched privately for invited, elite researchers with whom Bugcrowd has established relationships. Over the following weeks, more researchers are invited to the program until we decide to open the program to the public. Today we paid a $700 bounty through the Bugcrowd platform to a researcher who reported that a function was left in debugging mode, which led to the private key being recorded in a log file upon wallet creation. Because it would be extremely difficult/almost impossible for an attacker to access the log, it was determined that this issue poses very low risk. Nonetheless, a private key should not be recorded in a log. The fix was simple.