Coinbase is the most trusted place to buy, sell, and manage cryptocurrency. The protection and security of our customers’ identities and funds is our top priority. We’re constantly making improvements to our security posture, including ongoing updates to our HackerOne Bug Bounty Program.
We’ve come a long way from our first program at the start of the company when we were paying bounties in bitcoin from coinbase.com/whitehat, to our initial move to the HackerOne platform in October 2014, and our most recent update to our program last fall. This update is our fourth major iteration, and it includes:
Changed report evaluation from mechanism-driven to severity-driven
Expanded (quite considerably) the legal assurances we provide to security researchers engaging with our program
Increased bounty payouts
Severity-Driven Report Evaluation
This update provides a new methodology and greater level of detail on how we evaluate reports. We hope that this can provide a repeatable, fair, transparent, and published reasoning for determining bounties.
We have changed our assessment methodology to move from being mechanism driven (e.g., XSS or CSRF) to being severity driven (e.g., improper access to sensitive information or ability to manipulate account balance). This change aligns the size of our bounties to the potential consequences that an unaddressed security vulnerability could have on Coinbase and our customers.
Coinbase awards bounties based on severity of the vulnerability. We determine severity based on two factors: Impact and Exploitability.
Impact describes the effects of successful exploitation upon Coinbase systems or customers. We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying systems. Vulnerabilities that require considerable response and remediation or could result in reputational damage are also considered to have greater impact.
Exploitability describes the difficulty of actively exploiting the vulnerability itself. We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker’s direct control such as social engineering requirements or timing requirements.
Expanded Legal Assurance to Researchers
The program update also includes more specific guidance on our Program Policies. The biggest change we’ve made to our policies is expanding and articulating the legal safeguards we provide to security researchers participating in our bug bounty program.
Security research plays an important role in safeguarding the privacy and security of everyone who uses modern technology. As such, it is equally important for technology companies to play an active role in safeguarding the rights of individuals to tinker with, investigate, and probe technology systems.
We have updated our Program Policies to provide strong assurances to researchers that we support and explicitly endorse their efforts to make Coinbase more secure. We have included an explicit promise not to legally pursue any researcher for activities undertaken in good faith under our Bug Bounty Program policies.
We’d like to give a shoutout to Amit Elezari’s #legalbugbounty project and Dropbox for raising the bar for bug bounty programs. Crafting a good program is made significantly easier when other strong examples exist, pushing standards higher.
Best in Class Bounty Levels
As digital currencies surge in value and relevance, so does Coinbase’s appeal to attackers. Given that environment, it is important we stay best in class when it comes to our bounty payouts. We want to ensure we are appropriately incentivizing white hat security research and doing our part to provide a compelling return for a researcher’s time and effort.
Our bounty update simplifies bounty tiers and provides higher rewards for many common vulnerabilities. As mentioned above, Coinbase awards bounties based on the severity of a vulnerability, not the mechanism or vulnerability class. In addition to explaining our process for evaluating the severity of a vulnerability, we also believe that researchers deserve to have concrete expectations on the bounties for a particular severity level. For each tier, we’re giving examples of reports that would fall into the category.
Critical ($50,000 minimum bounty)
Remote Code Execution
Ability to arbitrarily manipulate account balances
High ($15,000 minimum bounty)
User Authentication bypasses
Privilege escalation allowing unauthorized access to sensitive data or funds
Medium ($2,000 minimum bounty)
CSRF impacting non-critical settings
Low ($200 minimum bounty)
Leakage of lower sensitivity information such as name or email address
Potential phishing vector that Coinbase has the ability to mitigate