Coinbase, one of the world’s largest cryptocurrency exchanges, announced it will actively participate in Hackerone’s “Hack the World” project, offering 50,000 USD for a first-place remote code execution. It’s the company’s effort to extend its bug bounty program in hopes of remaining “top-of-[the]-market” with regard to security.
“Coinbase Loves Bug Bounties”
Bug bounties are an increasingly used initiative by businesses to find code issues and security problems through incentivized hacking. Bounty payouts reward hackers to expose companies to problems before potential bad-actors might.
Head of Security for Coinbase, Philip Martin, blogged, “We’re thankful to all the security researchers who have worked hard to find and report vulnerabilities.”
Instead of researchers “facing a choice between using a vulnerability themselves,” he urged, “selling a vulnerability to 3rd parties or giving a vulnerability away for free, bounties present a good, legal, risk-adjusted return for the time invested by a researcher.”
To date, Coinbase has disclosed 73 discovered vulnerabilities.
Mr. Martin emphasized bounties “de-criminalize the actions of good-faith security researchers, while still forbidding malicious hacking.”
Over five years, the exchange has “paid out $176,031 in bounties to 223 researchers across 346 valid reports out of a total of 3101 reports submitted,” Mr. Martin noted.
This year, Coinbase joins a competition hosted by Hackerone, Hack the World. An unsigned blog post stated the venture’s goals as “to help build stronger relationships between our hackers and our customers, reward high signal and high impact reports, and to have some fun along the way by giving out some awesome prizes to our top hackers.”
Sponsors range from Uber, Github, and Airbnb, to Mapbox and Dropbox.
Coinbase is offering “the top 3 most impactful bugs submitted, as part of Hack The World, an additional $10,000, $7,500 and $5,000,” he explained. “‘Most Impactful’ will be judged by the Coinbase security team on a combination of bug severity, system criticality and report quality.”
The company’s Hack the World payouts are ranked as “Remote Code Execution: $50,000; Significant manipulation of account balance: $10,000; XSS/CSRF/Clickjacking affecting sensitive actions: $7,500; Theft of privileged information: $5,000; Partial authentication bypass: $3,000” respectively, among other lesser tasks.
Bitcoin, Safe and Easy
This does not mean storing bitcoin on the exchange is safe. In fact, “there have been months when Coinbase users have been robbed as often as 30 times—a rate of one robbery every single day,” according to Fortune.
CEO Brian Armstrong tells Fortune, “We need to be held to a higher standard because digital currency is so new and interesting and powerful that it is attractive to a lot of people out there to try to steal it.” The exchange holds users’ keys, allowing them ease of access to trading through mere passwords.
Thefts are generally on the customer side, exploiting weaknesses at mobile phone carrier companies such as Sprint and Verizon.
Hack The World competition formally ends on November 18.
What do you think about hacking bounties? Tell us in the comments below!
Images courtesy of Creative Commons, Pixabay, and Coinbase.