Celebrating 10 Years of our Bug Bounty Program

If you’re familiar with Coinbase you probably already know that our top priority is the safety and security of our users. We understand that trust is built on dependability, and that’s why we do everything we can to safeguard you, your digital assets, and the Coinbase platform.

One way we do this is through our Bug Bounty Program. We recognize that independent security researchers play a critical role in keeping the public safe from malicious attackers. That’s why we’ve enlisted their help by creating our Bug Bounty Program, which gives external researchers the opportunity to submit vulnerability reports via our bug bounty page for monetary rewards. 

Today, through our Bug Bounty Program, we have enlisted the help of nearly 500 independent researchers who collectively helped us find and fix over 600 bugs. In 2022, we paid out approximately $400k in bounties. 

How it works is simple – Independent security researchers look for security vulnerabilities in our platform. If they find something, they can submit a report in a timely and responsible manner

Number of Submissions YTD (2013-2022)

Total number of YTD submissions 

If the bug is legitimate, our security team takes it from there.  

Number of Valid Submissions YTD (2013-2022)

Valid YTD submission

Our team assesses the nature and severity of the vulnerability by performing an internal analysisIn the case we are unable to replicate an issue; the team will actively engage the researcher to ensure validity. For more critical vulnerabilities, our goal is to implement a mitigation within 24 hours.

We then pay out rewards for the bounty to the software researchers responsible for the disclosure. The average bounty pays $200, but top bounties paid out for the reporting of more severe vulnerabilities range from $2,000 all the way to $250,000. Here's a recent blogpost that gives a deeper look into the timeline of events surrounding the bug report of our highest bounty paid, in the amount of $250,000, for a vulnerability within Coinbase's trading interface.

Over the past 10 years, the Coinbase Bug Bounty program and asset portfolio has also substantially grown. We have increased from a single product offering to supporting our retail and institutional product portfolios. This portfolio includes, but is not limited to our Retail Web/Mobile Application, Wallet Application (Chrome Extension/Mobile) and our new Coinbase Cloud product suite. 

To enhance the understanding of our program and provide additional insight in some of the mechanics and metrics:

Bug Bounty Submissions/Reporting

Our team works around the clock to look into all potential vulnerabilities and actively triage all submissions via HackerOne, our central and unique bug submission platform, which allows us to have a centralized and single reporting source for us to deliver optimized SLA’s and results. All submissions are triaged by a Coinbase engineer, which may differ from other programs and provides someone with domain knowledge during engagement.  Over years, we have evolved from experimenting with external vendors to running our own triage services backed by our security and engineering teams. This has helped us bridge the gap between web 2.0 and web 3.0 knowledge, and assure the best quality of review.

 Bug Bounty Payout Tiers

Our payout tiers for the Bug Bounty Program are competitive and, in some cases, can exceed those of our competitors. Bug Bounty Payouts are defined as minimum payouts per tiers, which does not limit payouts to the minimum value displayed on our program page. This means that any bug classified from low to critical severity, and accepted as valid will be paid starting at a minimum amount based on the actual vs theoretical impact to our environment. 

Celebrating the researchers and our program

For Cybersecurity Awareness Month, and celebrating 10 year of running Bug Bounty program, we’d like to give a special thanks and recognition to the following researchers, who found some of the top bugs to date:

• Tree_of_alpha has earned the  highest bounty to date within our program and was integral in the verification and validation of issues within our environment.  

• Hubblebubble has earned recognition as providing unique and novel vulnerabilities that contribute to push Coinbase security to new heights.  

• Volkk89 has contributed to pushing the limits of our payments endpoints demonstrating a distinguished understanding of transactions. 

• Wkcaj has contributed to identifying unique vulnerabilities within our commerce offering and ensuring our merchants are protected from abuse. 

• Hackerontwowheels who is a part of the UGWST team and has successfully propelled themselves a top earner within a short period of time. 

• ashutosh7 is a long standing member of our program and continues to strive to be one of the top hackers within our program. 

Thanks to the work of independent researchers like those listed above, Coinbase is an even safer and more secure platform today than it was a decade ago when we first launched.

Continuously improving our Bug Bounty Program

We strive to improve our processes to be more in line with the needs of the security researcher community. By working with the larger community our ultimate goal is to make sure that Coinbase remains the most trusted crypto exchange in the world. 

To finalize, we are announcing exciting updates to our bug bounty program. Our hope is with these new changes, more contributors will be rewarded for all their hard work. Stay tuned for more details, but we will be offering increased incentives for critical and high valid reports.  In addition, we are expanding the scope of the program to include non-security related revenue impacting issues in the categories below:

• Fraud Loss - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. 

• Staking Loss - Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. 

• MNPI exposure - Issues that provide unfair market advantages to stakeholders trading or holding securities. 

• Third Party integrations - Issues that may impact our corporate environment, brand or disrupt a critical service.

The new issues will have a minimum payout depending on the criticality of the issue, but will have a ceiling commensurate with the impact to the application or service per our bug bounty policy. 

Happy hunting!