Coinbase Logo

Updating the Coinbase Bug Bounty Program

By Author


, July 20, 2018

, 4 min read time

Coinbase is the most trusted place to buy, sell, and manage cryptocurrency. The protection and security of our customers’ identities and funds is our top priority. We’re constantly making improvements to our security posture, including ongoing updates to our HackerOne Bug Bounty Program.

We’ve come a long way from our first program at the start of the company when we were paying bounties in bitcoin from, to our initial move to the HackerOne platform in October 2014, and our most recent update to our program last fall. This update is our fourth major iteration, and it includes:

  • Changed report evaluation from mechanism-driven to severity-driven

  • Expanded (quite considerably) the legal assurances we provide to security researchers engaging with our program

  • Increased bounty payouts


Severity-Driven Report Evaluation

This update provides a new methodology and greater level of detail on how we evaluate reports. We hope that this can provide a repeatable, fair, transparent, and published reasoning for determining bounties.

We have changed our assessment methodology to move from being mechanism driven (e.g., XSS or CSRF) to being severity driven (e.g., improper access to sensitive information or ability to manipulate account balance). This change aligns the size of our bounties to the potential consequences that an unaddressed security vulnerability could have on Coinbase and our customers.

The change is described in length in our HackerOne Bug Bounty Program, so we only provide a brief summary here.

Coinbase awards bounties based on severity of the vulnerability. We determine severity based on two factors: Impact and Exploitability.

  • Impact describes the effects of successful exploitation upon Coinbase systems or customers. We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying systems. Vulnerabilities that require considerable response and remediation or could result in reputational damage are also considered to have greater impact.

  • Exploitability describes the difficulty of actively exploiting the vulnerability itself. We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker’s direct control such as social engineering requirements or timing requirements.

Best in Class Bounty Levels

As digital currencies surge in value and relevance, so does Coinbase’s appeal to attackers. Given that environment, it is important we stay best in class when it comes to our bounty payouts. We want to ensure we are appropriately incentivizing white hat security research and doing our part to provide a compelling return for a researcher’s time and effort.

Our bounty update simplifies bounty tiers and provides higher rewards for many common vulnerabilities. As mentioned above, Coinbase awards bounties based on the severity of a vulnerability, not the mechanism or vulnerability class. In addition to explaining our process for evaluating the severity of a vulnerability, we also believe that researchers deserve to have concrete expectations on the bounties for a particular severity level. For each tier, we’re giving examples of reports that would fall into the category.

Critical ($50,000 minimum bounty)

  • Remote Code Execution

  • Ability to arbitrarily manipulate account balances

High ($15,000 minimum bounty)

  • User Authentication bypasses

  • Privilege escalation allowing unauthorized access to sensitive data or funds

Medium ($2,000 minimum bounty)

  • CSRF impacting non-critical settings

  • User de-anonymization

Low ($200 minimum bounty)

  • Leakage of lower sensitivity information such as name or email address

  • Potential phishing vector that Coinbase has the ability to mitigate

We are actively hiring across the board and invite you to take a look at our open positions.

Coinbase logo