The policy clarification stated that participants cannot make threats, use extortion, or access customer data beyond what is accidental or occurs in good faith.
In a blog post on November 30, Coinbase sought to clarify its bug bounty program policies in response to the recent Uber data breach verdict.
The company stated that it still welcomes “responsible” disclosure of security issues, but users who abuse this process will not be awarded bug bounties:
“The key word in all of this is ‘responsible’. In the wake of the recent Uber verdict, there is a lot of concern in the industry about bug bounty submissions becoming extortion attempts. At Coinbase, [...] we’ve put a lot of thought into how we operate our bug bounty program to stay on the right side of the law.”
The official Coinbase bug bounty reporting page at HackerOne
The verdict Coinbase was referring to was issued on October 5. Joe Sullivan, former Uber security chief, was found guilty of colluding with attackers to cover up evidence of a data breach, according to a report by the Washington Post. Sullivan had originally claimed that the attackers had submitted the breach as a bug bounty and that the company had paid them as a bug bounty reward.
Tech companies often use bug bounties to encourage white hat hackers to find security vulnerabilities and report them. But the Sullivan verdict has raised the question of how far a bug bounty program can go in awarding prizes to hackers without running afoul of the law itself.
In its post, Coinbase stated that it has encountered some bug bounty participants who claim to have committed criminal actions that would prevent the company from being able to legally make a payout.
For example, a participant submitted multiple emails to the team saying that they had “306 million users data fully dehashed” and a “bypass” to skip the 48 hour waiting period on new devices. According to Coinbase, if this person had such information, it would mean that they accessed customer data beyond what could be considered “good faith” or “accidental.” In such a case, Coinbase would not be able to pay the bounty.
In this particular case, Coinbase said they believed that the participant was making a false claim. The participant did not provide any information that would allow the claim to be verified, so the team ignored the request for a bounty. But even if the person making the claim had been telling the truth, it would have been illegal to pay out the reward to them.
Coinbase also emphasized that threats or other extortion attempts will not result in a bug bounty payout:
“Most important of all — a bug bounty submission can never contain threats or any attempts at extortion. We are always open to paying bounties for legitimate findings. Ransom demands are an entirely different matter.”
The practice of paying bug bounties is sometimes controversial. Critics say that it can encourage malicious behavior, while supporters say it often allows vulnerabilities to be discovered safely. On Oct. 19, an attacker drained the Moola Market DeFi app of $9 million worth of cryptocurrency. But when the developer offered to let the attacker keep $500K as a bug bounty, the attacker returned the other $8.5 million.
A similar attack occurred on the decentralized exchange, KyberSwap, in September. In this case, the attackers stole $265K, and the developers offered to let them keep 15% of the funds if they would return the rest. Suspects in the case were later identified, but the funds have not been returned, and the hackers appear to still be at large.