submit bug report:https://coinbase.com/securityIntroduction
Coinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”) described on this page.
Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (
https://support.coinbase.com/customer/portal/emails/new)
The Bug Bounty Program directly serves Coinbase's mission by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :
Digital and fiat currency balances
Customer information
The Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.
A valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.
New Categories
Updated on October 25, 2022
Fraud Loss - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse.
Staking Loss - Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations.
MNPI exposure - Issues that provide unfair market advantages to stakeholders trading or holding securities.
Third Party integrations - Issues that may impact our corporate environment, brand or disrupt a critical service.
Program Policies
Coinbase adheres to and supports the Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities. As such, we embrace the standardization of policy language that provides legal protection to security researchers
Researcher Requirements
Complying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:
Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.
Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.
Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase.
Reporting vulnerabilities with no conditions, demands, or ransom threats.
Coinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies. Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.
Researchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.
Report Evaluation
Coinbase Security
In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.
A report must be a valid, in scope report in order to qualify for a bounty. Coinbase awards bounties based on severity of the vulnerability. We determine severity based on two factors: Impact and Exploitability.
Impact describes the effects of successful exploitation upon Coinbase systems or customers. We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information. Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact. For example:
Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.
Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated
Please see the following guidance on rate limiting submissions:
A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.
A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers
A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place
Exploitability describes the difficulty of actively exploiting the vulnerability itself. We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.
