Coinbase Pays $30k Bounty for a Critical Vulnerability on its Platform
Coinbase, one of the leading cryptocurrency trading exchanges, submitted a $30k bounty on HackerOne for a fix to a critical issue found on its platform. This, according to a report by The Next Web, published February 13, 2019.
A Severe Vulnerability
According to The Next Web, Coinbase‘s vulnerability was submitted on a disclosure program on HackerOne, a hacker-powered security consultancy firm. At the time of writing the issue was already fixed according to a Coinbase representative who was not able to provide any more details.
The official report on the matter in only for internal access, but considering how fast the exchange acted to submit the bug hunt on HackerOne, the issue must have been pretty severe.
Bug Hunt Rewarding System
Coinbase has its own Bug Bounty Program launched in 2014 where it pays depending on the impact of the bug found. The impact of an issue has several measures going from, $200 for low, $2,000 for medium, $15,000 for high, and $50,000 for critical impact.
Anyone can submit a report when finding a bug. Once the bug report is confirmed it becomes eligible for bounty and the hunter finding it is awarded accordingly. Hunters participating on the bug hunt need to abide to certain rules. The Coinbase Bug Bounty Program terms states:
“In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers. Coinbase awards bounties based on the severity of the vulnerability. We determine severity based on two factors: impact and exploitability.”
There are several terms on the bug bounty program that specify how the different types of bug submissions should be characterized and rewarded. In order for a submission to qualify as a critical impact bounty, several terms need to be met.
But this issue was not the only issue found by the exchange, as Coinbase also paid for three more bounties marked as low-impact attack vectors this week.
Not only Coinbase
While blockchain technology promises to bring the security of the future it doesn’t mean that is safe from critical issues. Akin to this last bounty, last year Coinbase also awarded a $10,000 bounty. This turn the award went to researchers who found a bug that made it possible to reward oneself with all the ether you could get.
Nonetheless, Coinbase is not the only company having issues with its platform as this is an issue that is present throughout the ecosystem.
Getting Rich through Bug Bounties
According to The Next Web, in 2018 hackers were able to harvest around $878,000 from blockchain-related bug bounties while EOS developer Block.one has already paid more than $80,000 in bug bounties in 2019 alone.