Ethics and Bug Bounty Programs

As the most trusted name in crypto, Coinbase is continuously evaluating our platforms and services for cybersecurity vulnerabilities. This is particularly important given the decentralized nature of cryptocurrency.  Once crypto is stolen it can be extremely difficult or impossible to recover it.  Preventing theft and mitigating security vulnerabilities is core to our mission here at Coinbase. 

Coinbase’s cybersecurity team has embraced the role of independent security researchers in our efforts to continuously improve our security posture. By partnering with HackerOne, we welcome the responsible disclosure of security issues that may be present anywhere across our entire suite of products and services.  We encourage security professionals, researchers, and even hobbyists to support the crypto and Web3 community - and we’re more than happy to reward those of you who make positive contributions to our organization!  Over the life of our program we have paid out over $1,000,000 in payments that have directly benefited our mission and the security of our enterprise.

The key word in all of this is “responsible”.  In the wake of the recent Uber verdict, there is a lot of concern in the industry about bug bounty submissions becoming extortion attempts. At Coinbase, we’ve seen the gamut of submissions from best intentions to worst, and we’ve put a lot of thought into how we operate our bug bounty program to stay on the right side of the law. We thought we would share some of the best practices for responsible disclosure, illustrated by a recent (fraudulent) extortion attempt we received, and share some of the red flags to avoid when evaluating or reporting security vulnerabilities.

Irresponsible Disclosure / Abuse - What not to do.

Let’s start by looking at an example of how not to report a vulnerability.  Unfortunately, we regularly see examples of individuals attempting to  game the system, such as using falsified information in an attempt to solicit a fraudulent pay-out.  The below example came into Coinbase over multiple channels, including email and as a bug bounty submission. 

“PLZ DONT IGNORE I DECRYPTED ALL 306 MILLION USERS DATA FULLY DEHASHED EVERYTHING. On my life I have dehashed your guys BCRYPT allowing me access to all 306 million users data.” 

At first blush, that sounds alarming. The reporter continues with:

“I have a bypass to skip your guys’ 48 hour waiting period for new devices” and “All your data in the palm of my hand. I’d love to help but i was offered 450,000 for the exploit for wrong reasons.”

At this point, the reporter is claiming to have knowledge of and access to multiple severe vulnerabilities, any one of which we would certainly want to know about.  The reporter is also claiming to have accessed customer data well beyond any “good faith, accidental violations”, which would be against the law and the terms of our bug bounty. However, the vague nature of the claims as well as the borderline extortion statement at the end raised suspicion right away about the validity of this report.  So our team requested that the reporter provide information to validate the claim.  The reporter was unable to provide any information that would have allowed us to validate this report - and we closed the case.  Often, this can result in an angry response from the fraudulent reporter in an attempt to scare the victim, which is exactly what we saw here: 

“I'm going public with this , I'm speaking with vice news at the moment and cbs news You guys can't ignore me for very long before law suits start rolling in. Have a good day.  Go check Twitter it's begun”

Remember: failing to validate a claim and making any threats of exploitation are sure-fire ways to be denied a bounty payment.  In fact, attempted extortion can create significant legal obstacles to providing any payments at all - even if there is a legitimate vulnerability being reported. In this case, our internal investigation confirmed that this was a baseless extortion attempt.

Responsible Disclosure - How to do things the right way.

When our team evaluates a security vulnerability report, we look for several key characteristics.  First and foremost, does the report provide a detailed description of the potential vulnerability?  We can’t evaluate a submission that lacks sufficient detail.  Does the report demonstrate a path to access potentially sensitive information or provide a way to access crypto or other assets?  Could the issue significantly degrade our services or cause damage to the broader ecosystem? Those reports are likely to be the most successful in our program. While we are always willing to evaluate reports that have less significant exposure, the biggest payouts will always be for the most severe vulnerabilities.

A responsible security researcher will always provide a reasonable amount of time for us to respond to and fix a security issue before disclosing the details to any other party.  In the event that any sensitive data is identified, a responsible researcher will handle that data in a confidential manner and will never enrich themselves using the security vulnerability they have identified - except of course by accepting a well-earned bounty payment!

Most important of all - a bug bounty submission can never contain threats or any attempts at extortion. We are always open to paying bounties for legitimate findings.  Ransom demands are an entirely different matter. Special thanks to our community of security researchers!  We appreciate each and every one of you, and your contributions towards making  the entire crypto and Web3 community a safer place.