Coinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”) described on this page.
Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our support form __
The Bug Bounty Program directly serves Coinbase's mission __by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :
The Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.
A valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.
Coinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.
If legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.
Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy. This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.
We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities. As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the #legalbugbounty __ project __.
Complying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:
Coinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies. Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.
In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.
A report must be a valid, in scope report in order to qualify for a bounty. Coinbase awards bounties based on severity of the vulnerability. We determine severity based on two factors: Impact and Exploitability.
Impact describes the effects of successful exploitation upon Coinbase systems or customers. We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information. Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact. For example:
Exploitability describes the difficulty of actively exploiting the vulnerability itself. We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements. For example:
Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.
Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.
Severity is determined as a combination of Impact and Exploitability. For example:
In order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.
Vulnerability Tier | Reward
Critical | $50,000
High | $15,000
Medium | $2,000
Low | $200
The payouts listed next to each tier are minimum bounties for the tier. Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation. Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.
Previous bounty amounts are not considered precedent for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.
The Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.
Specific domains hosting Coinbase services are provided below:
Please view the scope section for a more detailed list of in-scope and out-of- scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope.
Additionally, all vulnerabilities that require or are related to the following are out of scope:
If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.
We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.
The current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.
Contact us if you want more information.