Coinbase Clarifies Bug Bounty Policy In Response To Uber Extortion Verdict


The policy clarification stated that participants cannot make threats, use extortion, or access customer data beyond what is accidental or occurs in good faith.

In a blog post on November 30, Coinbase sought to clarify its bug bounty program policies in response to the recent Uber data breach verdict.

The company stated that it still welcomes “responsible” disclosure of security issues, but users who abuse this process will not be awarded bug bounties:

“The key word in all of this is ‘responsible’. In the wake of the recent Uber verdict, there is a lot of concern in the industry about bug bounty submissions becoming extortion attempts. At Coinbase, […] we’ve put a lot of thought into how we operate our bug bounty program to stay on the right side of the law.”

The official Coinbase bug bounty reporting page at HackerOne

The verdict Coinbase was referring to was issued on October 5. Joe Sullivan, former Uber security chief, was found guilty of colluding with attackers to cover up evidence of a data breach, according to a report by the Washington Post. Sullivan had originally claimed that the attackers had submitted the breach as a bug bounty and that the company had paid them as a bug bounty reward.

Stay in the know on crypto by frequently visiting Crypto News Today

Tech companies often use bug bounties to encourage white hat hackers to find security vulnerabilities and report them. But the Sullivan verdict has raised the question of how far a bug bounty program can go in awarding prizes to hackers without running afoul of the law itself.

In its post, Coinbase stated that it has encountered some bug bounty participants who claim to have committed criminal actions that would prevent the company from being able to legally make a payout.

For example, a participant submitted multiple emails to the team saying that they had “306 million users data fully dehashed” and a “bypass” to skip the 48 hour waiting period on new devices. According to Coinbase, if this person had such information, it would mean that they accessed customer data beyond what could be considered “good faith” or “accidental.” In such a case, Coinbase would not be able to pay the bounty.

In this particular case, Coinbase said they believed that the participant was making a false claim. The participant did not provide any information that would allow the claim to be verified, so the team ignored the request for a bounty. But even if the person making the claim had been telling the truth, it would have been illegal to pay out the reward to them.

Coinbase also emphasized that threats or other extortion attempts will not result in a bug bounty payout:

“Most important of all — a bug bounty submission can never contain threats or any attempts at extortion. We are always open to paying bounties for legitimate findings. Ransom demands are an entirely different matter.”

The practice of paying bug bounties is sometimes controversial. Critics say that it can encourage malicious behavior, while supporters say it often allows vulnerabilities to be discovered safely. On Oct. 19, an attacker drained the Moola Market DeFi app of $9 million worth of cryptocurrency. But when the developer offered to let the attacker keep $500K as a bug bounty, the attacker returned the other $8.5 million.

A similar attack occurred on the decentralized exchange, KyberSwap, in September. In this case, the attackers stole $265K, and the developers offered to let them keep 15% of the funds if they would return the rest. Suspects in the case were later identified, but the funds have not been returned, and the hackers appear to still be at large.CRYPTOCASTER® - DECENTRALIZED FREEDOM!

Please Read Essential Disclaimer Information Here.
© 2024 Crypto Caster provides information. does not provide investment advice. Do your research before taking a market position on the purchase of cryptocurrency and other asset classes. Past performance of any asset is not indicative of future results. All rights reserved.

Contribute to CryptoCaster℠ Via Metamask or favorite wallet. Send Coin/Token to Addresses Provided Below.
Thank you!
BTC – bc1qgdnd752esyl4jv6nhz3ypuzwa6wav9wuzaeg9g
ETH – 0x7D8D76E60bFF59c5295Aa1b39D651f6735D6413D
MATIC – 0x7D8D76E60bFF59c5295Aa1b39D651f6735D6413D
LITECOIN – ltc1qxsgp5fykl0007hnwgl93zr9vngwd2jxwlddvqt

You may also like