Coinbase is essentially the most trusted place to purchase, promote, and handle cryptocurrency. The safety and safety of our prospects’ identities and funds is our prime precedence. We’re consistently bettering our safety posture, together with ongoing updates to our HackerOne Bug Bounty Program. We’ve come a great distance from our first program at the beginning
Coinbase is essentially the most trusted place to purchase, promote, and handle cryptocurrency. The safety and safety of our prospects’ identities and funds is our prime precedence. We’re consistently bettering our safety posture, together with ongoing updates to our HackerOne Bug Bounty Program.
We’ve come a great distance from our first program at the beginning of the corporate once we had been paying bounties in bitcoin from coinbase.com/whitehat, to our preliminary transfer to the HackerOne platform in October 2014, and our most up-to-date replace to our program final fall. This replace is our fourth main iteration, and it contains:
- Modified report analysis from mechanism-driven to severity-driven
- Expanded (fairly significantly) the authorized assurances we offer to safety researchers participating with our program
- Elevated bounty payouts
Severity-Pushed Report Analysis
This replace supplies a brand new methodology and larger stage of element on how we consider experiences. We hope that this may present a repeatable, truthful, clear, and revealed reasoning for figuring out bounties.
Now we have modified our evaluation methodology to maneuver from being mechanism pushed (e.g., XSS or CSRF) to being severity pushed (e.g., improper entry to delicate info or skill to govern account steadiness). This modification aligns the dimensions of our bounties to the potential penalties that an unaddressed safety vulnerability might have on Coinbase and our prospects.
The change is described in size in our HackerOne Bug Bounty Program, so we solely present a quick abstract right here.
Coinbase awards bounties primarily based on severity of the vulnerability. We decide severity primarily based on two elements: Affect and Exploitability.
- Affect describes the consequences of profitable exploitation upon Coinbase programs or prospects. We make this evaluation primarily by inspecting the consequences of exploitation on confidentiality, integrity, or availability of underlying programs. Vulnerabilities that require appreciable response and remediation or might end in reputational harm are additionally thought-about to have larger affect.
- Exploitability describes the issue of actively exploiting the vulnerability itself. We make this evaluation based totally on the conditions for exploitation, together with stage of entry required, availability of data crucial for profitable exploitation, and probability of alignment of required elements exterior the attacker’s direct management reminiscent of social engineering necessities or timing necessities.
Expanded Authorized Assurance to Researchers
This system replace additionally contains extra particular steering on our Program Insurance policies. The most important change we’ve made to our insurance policies is increasing and articulating the authorized safeguards we offer to safety researchers taking part in our bug bounty program.
Safety analysis performs an essential function in safeguarding the privateness and safety of everybody who makes use of trendy know-how. As such, it’s equally essential for know-how firms to play an energetic function in safeguarding the rights of people to tinker with, examine, and probe know-how programs.
Now we have up to date our Program Insurance policies to supply sturdy assurances to researchers that we assist and explicitly endorse their efforts to make Coinbase safer. Now we have included an express promise to not legally pursue any researcher for actions undertaken in good religion underneath our Bug Bounty Program insurance policies.
We’d like to offer a shoutout to Amit Elezari’s #legalbugbounty venture and Dropbox for elevating the bar for bug bounty applications. Crafting a very good program is made considerably simpler when different sturdy examples exist, pushing requirements larger.
Greatest in Class Bounty Ranges
As digital currencies surge in worth and relevance, so does Coinbase’s enchantment to attackers. Provided that surroundings, it will be significant we keep finest in school in terms of our bounty payouts. We wish to guarantee we’re appropriately incentivizing white hat safety analysis and doing our half to supply a compelling return for a researcher’s effort and time.
Our bounty replace simplifies bounty tiers and supplies larger rewards for a lot of frequent vulnerabilities. As talked about above, Coinbase awards bounties primarily based on the severity of a vulnerability, not the mechanism or vulnerability class. Along with explaining our course of for evaluating the severity of a vulnerability, we additionally consider that researchers need to have concrete expectations on the bounties for a specific severity stage. For every tier, we’re giving examples of experiences that will fall into the class.
Important ($50,000 minimal bounty)
- Distant Code Execution
- Skill to arbitrarily manipulate account balances
Excessive ($15,000 minimal bounty)
- Consumer Authentication bypasses
- Privilege escalation permitting unauthorized entry to delicate knowledge or funds
Medium ($2,000 minimal bounty)
- CSRF impacting non-critical settings
- Consumer de-anonymization
Low ($200 minimal bounty)
- Leakage of decrease sensitivity info reminiscent of title or e mail handle
- Potential phishing vector that Coinbase has the flexibility to mitigate