Coinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.
Responsible disclosure includes:
In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.
The minimum payout is $100 USD and an entry in our hall of fame for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found. Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.
We use the following table as a guideline for determining reward amounts:
|Remote Code Execution||$10,000|
|Significant manipulation of account balance||$5,000|
|XSS/CSRF/Clickjacking affecting sensitive actions ||$5,000|
|Theft of privileged information ||$3,000|
|Partial authentication bypass||$1,000|
|Other XSS (excluding Self-XSS)||$1,000|
|Other vulnerability with clear potential for financial or data loss||$1,000|
|Other CSRF (excluding logout CSRF)||$250|
|Other best practice or defense in depth||$100|
 Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions
 Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent
All services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.
In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:
In general, the following would not meet the threshold for severity:
The following domains are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):
Coinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.
By submitting a bug, you agree to be bound by the above rules.
You can disclose a vulnerability by clicking this link: