US-based cryptocurrency exchange Coinbase has recently paid a hacker $30,000 for discovering a critical vulnerability on its platform that, according to a company representative, has already been fixed.
The flaw was logged on February 12 via Coinbase’s Bug Bounty vulnerability disclosure program on HackerOne. HackerOne was started by hackers and security leaders with the aim of making the internet safer and partner with the global hacker community to “surface the most relevant security issues of customers before they can be exploited by criminals”.
Coinbase have a reward system in place, a $200 reward for low bug cases and up to $50 000 for critical vulnerabilities. The high reward given to the hacker suggests that the recently detected bug was a significant one. This is the fourth bounty handed out by Coinbase in a year. In March 2018, a Dutch company that reported a vulnerability was rewarded with $10 000, however, the average bounty is $100.
Adhere To Responsible Disclosure
The company’s bounty terms stipulate that in order to be deemed valid, a report “must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers”.
They award bounties based on severity of the vulnerability and determine that based on two factors: impact and exploitability. For a bug to be critical, it must allow hackers to “read or modify sensitive data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way”.
They ask researchers to adhere to “Responsible Disclosure” by providing Coinbase a reasonable amount of time to fix any vulnerability prior to sharing details with anyone else, preserve the confidentiality of Coinbase users, not profiting from the vulnerability (outside of Bug Bounty payments) and reporting vulnerabilities with “no conditions, demands or ransom threats”