Coinbase clarifies bug bounty policy in response to Uber extortion verdict

Published at: Nov. 30, 2022

In a blog post on November 30, Coinbase sought to clarify its bug bounty program policies in response to the recent Uber data breach verdict.

The company stated that it still welcomes “responsible” disclosure of security issues, but users who abuse this process will not be awarded bug bounties:

“The key word in all of this is ‘responsible’. In the wake of the recent Uber verdict, there is a lot of concern in the industry about bug bounty submissions becoming extortion attempts. At Coinbase, [...] we’ve put a lot of thought into how we operate our bug bounty program to stay on the right side of the law.”

The official Coinbase bug bounty reporting page at HackerOne

The verdict Coinbase was referring to was issued on October 5. Joe Sullivan, former Uber security chief, was found guilty of colluding with attackers to cover up evidence of a data breach, according to a report by the Washington Post. Sullivan had originally claimed that the attackers had submitted the breach as a bug bounty and that the company had paid them as a bug bounty reward.

Tech companies often use bug bounties to encourage white hat hackers to find security vulnerabilities and report them. But the Sullivan verdict has raised the question of how far a bug bounty program can go in awarding prizes to hackers without running afoul of the law itself.

In its post, Coinbase stated that it has encountered some bug bounty participants who claim to have committed criminal actions that would prevent the company from being able to legally make a payout.

For example, a participant submitted multiple emails to the team saying that they had “306 million users data fully dehashed” and a “bypass” to skip the 48 hour waiting period on new devices. According to Coinbase, if this person had such information, it would mean that they accessed customer data beyond what could be considered “good faith” or “accidental.” In such a case, Coinbase would not be able to pay the bounty.

In this particular case, Coinbase said they believed that the participant was making a false claim. The participant did not provide any information that would allow the claim to be verified, so the team ignored the request for a bounty. But even if the person making the claim had been telling the truth, it would have been illegal to pay out the reward to them.

Coinbase also emphasized that threats or other extortion attempts will not result in a bug bounty payout:

“Most important of all — a bug bounty submission can never contain threats or any attempts at extortion. We are always open to paying bounties for legitimate findings. Ransom demands are an entirely different matter.”

The practice of paying bug bounties is sometimes controversial. Critics say that it can encourage malicious behavior, while supporters say it often allows vulnerabilities to be discovered safely. On Oct. 19, an attacker drained the Moola Market DeFi app of $9 million worth of cryptocurrency. But when the developer offered to let the attacker keep $500K as a bug bounty, the attacker returned the other $8.5 million.

A similar attack occurred on the decentralized exchange, KyberSwap, in September. In this case, the attackers stole $265K, and the developers offered to let them keep 15% of the funds if they would return the rest. Suspects in the case were later identified, but the funds have not been returned, and the hackers appear to still be at large.

Tags
Related Posts
Binance’s CZ Overtakes Bitmain Co-Founder in New Hurun Rich List
While China now has more billionaires than the United States and India combined, Binance CEO might have more money than any crypto person, a new report says. Binance CEO Changpeng Zhao has overtaken a co-founder of cryptocurrency mining giant Bitmain in the latest Hurun Global Rich List, an annual ranking of the world's biggest billionaires published Chinese media Hurun Report. Issued on Feb. 26, the new Hurun Report’s list of 2,816 global billionaires includes six individuals who made their fortune from blockchain and crypto industry. Bitmain’s ousted co-founder lost over one billion dollars in a year Similarly to previous compilations …
Blockchain / Feb. 26, 2020
Bent Finance confirms pool exploit, advises investors to withdraw funds
Staking and farming platform Bent Finance joins the list to become the sixth crypto establishment to get hacked in December. The acknowledgment of the attack was followed by requesting investors to withdraw their pool funds and disabling the reward claims on the compromised platform. Bent Finance first realized the exploit on Monday at roughly 8:55 PM EST, a timeline when the company reported no loss of funds. However, the community suspected a rug-pull event when blockchain investigator PeckShield allegedly located the source of the hack transactions. We have located the hack tx, which interestingly is sent from the Bent Finance: …
Blockchain / Dec. 21, 2021
Crypto app targeting SharkBot malware resurfaces on Google app store
A newly upgraded version of a banking and crypto app targeting malware has recently resurfaced on the Google Play store, now with the capability to steal cookies from account logins and bypass fingerprint or authentication requirements. A warning about the new version of the malware was shared by malware analyst Alberto Segura and treat intelligence analyst Mike Stokkel on Twitter accounts on Sept. 2, sharing their co-authored article on Fox IT’s blog. We discovered a new version of #SharkbotDropper in Google Play used to download and install #Sharkbot! The found droppers were used in a campaign targeting UK and IT! …
Blockchain / Sept. 5, 2022
Crypto recruitment execs reveal the safest jobs amid layoff season
Despite a wave of heavy crypto layoffs to start the new year, employees in technical and engineering roles, as well as senior management, will likely continue to see “strong demand” for their skills, recruitment professionals believe. It’s been a tough first few weeks of 2023 for crypto businesses and their staff. Within just two weeks, the market has already seen more than 1,600 crypto-related job cuts as a result of continued market volatility and uncertainty. However, not all departments have seen the same level of cuts. SAFU: Senior-level tech and engineering Rob Paone, founder and CEO of crypto recruitment firm …
Blockchain / Jan. 18, 2023
MetaMask issues scam alert as NameCheap hacker sends unauthorized emails
Popular crypto wallet provider MetaMask warned investors against ongoing phishing attempts by scammers attempting to contact users through NameCheap’s third-party upstream system for emails. On the evening of Feb. 12, web hosting company NameCheap detected the misuse of one of its third-party services for sending some unauthorized emails — which directly targeted MetaMask users. Namecheap described the incident as an "email gateway issue." ⚠️MetaMask does not collect KYC info and will never email you about your account! Do not enter your Secret Recovery Phrase on a website EVER. If you got an email today from MetaMask or Namecheap or anyone …
Blockchain / Feb. 13, 2023