Inside money, markets, and big tech

Coinbase handed out a $30K bounty for a critical bug in its systems

That's why we have disclosure programs


Another day, another bug. Cryptocurrency exchange desk Coinbase has handed out a massive $30,000 bug bounty for a critical vulnerability in its systems.

The flaw was logged on February 12 via Coinbase‘s vulnerability disclosure program on HackerOne. A Coinbase spokesperson confirmed to Hard Fork the vulnerability has since been fixed, but could not provide any further details about the issue in question.

The vulnerability report is closed to the public, but considering the high bounty of $30,000, it seems the flaw was rather severe.

Currently, Coinbase has a four-tier reward system based on the impact of the bug: $200 for low, $2,000 for medium, $15,000 for high, and $50,000 for critical impact.

In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers,” the company’s bounty terms stipulate. “Coinbase awards bounties based on severity of the vulnerability. We determine severity based on two factors: impact and exploitability.”

To qualify for a critical impact bounty, a vulnerability must allow attackers to “read or modify sensitive data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.” As far as critical exploitability goes, Coinbase says attackers must be able to “unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.”

For the record, the exchange awarded three more bounties this week, but all of those were marked as low-impact attack vectors.

Blockchain companies can’t catch a break

Despite boasting heightened security capabilities, blockchain and cryptocurrency technologies aren’t immune to bugs.

In a similar case, last year Coinbase gave a $10,000 bounty to researchers who found a vulnerability in its platform that made it possible to reward yourself with unlimited amounts of Ethereum.

Coinbase is hardly the only company dealing with kinks in its system though. Data shared with Hard Fork showed that hackers pocketed $878,000 from blockchain-related bug bounties in 2018.

From the looks of it, the trend is here to stay. Indeed, EOS developer has already dished out over $80,000 in bug bounties in 2019 alone.

Published February 13, 2019 — 14:33 UTC