Submit bug report:https://coinbase.com/securityCoinbase
Creating an open financial system for the world.
Policy
IMPORTANT UPDATE:
February 8, 2023 Update
We have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:
New Vulnerability Tier(s) Description Reward
Extreme Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. Up-to $1,000,000
Several internal metrics will be used to calculate the validity of an "extreme tier" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.
Updated on October 25, 2022
We have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.
Introduction
Coinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”) described on this page.
Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (
https://support.coinbase.com/customer/portal/emails/new)
The Bug Bounty Program directly serves Coinbase's mission by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :
Digital and fiat currency balances
Customer information
The Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.
A valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.
New Categories
Updated on October 25, 2022
Fraud Loss - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse.
Staking Loss - Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations.
MNPI exposure - Issues that provide unfair market advantages to stakeholders trading or holding securities.
Third Party integrations - Issues that may impact our corporate environment, brand or disrupt a critical service.
Program Policies
Coinbase adheres to and supports the Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities. As such, we embrace the standardization of policy language that provides legal protection to security researchers
Researcher Requirements
Complying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:
Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.
Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.
Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase.
Reporting vulnerabilities with no conditions, demands, or ransom threats.
Coinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies. Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.
Researchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.
Report Evaluation
Coinbase Security
In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.
A report must be a valid, in scope report in order to qualify for a bounty. Coinbase awards bounties based on severity of the vulnerability. We determine severity based on two factors: Impact and Exploitability.
Impact describes the effects of successful exploitation upon Coinbase systems or customers. We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information. Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact. For example:
Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.
Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated
Please see the following guidance on rate limiting submissions:
A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.
A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place
Exploitability describes the difficulty of actively exploiting the vulnerability itself. We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.
This table was last updated Oct 25, 2022
Vulnerability Tier Reward
Extreme Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.
Critical Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts
High Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product
Medium Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure
Low Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data
In order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.
Vulnerability Tier Reward
Extreme $1,000,000
Critical $50,000
High $15,000
Medium $2,000
Low $200
Updated Dec 21, 2022
The payouts listed next to each tier are minimum bounties for the tier. Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation. Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports. The cap for bounty payouts is $1,000,000. Different metrics on severity and impact will be used internally to determine larger bug bounty payouts.
Previous bounty amounts are not considered precedent for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.
Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.
Researchers should not attempt to transfer any funds. If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval. A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.
Report Closure
Coinbase reviews all findings that are reported via our Bug Bounty Program. Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter. After all information is aggregated; the report submission goes through an internal review and scoring process. After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.
PLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports. Failure to provide a detailed report will result in delayed triage and/or ticket closure.
The Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.
Specific domains hosting Coinbase services are provided below:
*.coinbase.com (All assets on coinbase.com and subdomains, excepting services provided by third parties)
*.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)
com.coinbase.android (Android: Play Store Coinbase app)
com.coinbase.ios (iOS: App Store Coinbase app)
54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)
*.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.
Please view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope.
Additionally, all vulnerabilities that require or are related to the following are out of scope:
Social engineering
Rate Limiting (Non-critical issues)
Physical security
Non-security-impacting UX issues
Vulnerabilities or weaknesses in third party applications that integrate with Coinbase
Ability to abuse existing banking functionality such as ACH or credit card chargebacks
If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.
Eligibility
To participate in the Bug Bounty Program you must:
Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs
Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program
Have permission from your employer to participate
Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.
Fine Print
We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.
