In a blog post on November 30, Coinbase sought to clarify its bug bounty program policies in response to the recent Uber data breach verdict.
The company stated that it still welcomes “responsible” disclosure of security issues, but users who abuse this process will not be awarded bug bounties:
“The key word in all of this is ‘responsible’. In the wake of the recent Uber verdict, there is a lot of concern in the industry about bug bounty submissions becoming extortion attempts. At Coinbase, […] we’ve put a lot of thought into how we operate our bug bounty program to stay on the right side of the law.”
The official Coinbase bug bounty reporting page at HackerOne
The verdict Coinbase was referring to was issued on October 5. Joe Sullivan, former Uber security chief, was found guilty of colluding with attackers to cover up evidence of a data breach, according to a report by the Washington Post. Sullivan had originally claimed that the attackers had submitted the breach as a bug bounty and that the company had paid them as a bug bounty reward.
Tech companies often use bug bounties to encourage white hat hackers to find security vulnerabilities and report them. But the Sullivan verdict has raised the question of how far a bug bounty program can go in awarding prizes to hackers without running afoul of the law itself.
In its post, Coinbase stated that it has encountered some bug bounty participants who claim to have committed criminal actions that would prevent the company from being able to legally make a payout.
For example, a participant submitted multiple emails to the team saying that they had “306 million users data fully dehashed” and a “bypass” to skip the 48 hour waiting period on new devices. According to Coinbase, if this person had such information, it would mean that they accessed customer data beyond what could be considered “good faith” or “accidental.” In such a case, Coinbase would not be able to pay the bounty.
In this particular case, Coinbase said they believed that the participant was making a false claim. The participant did not provide any information that would allow the claim to be verified, so the team ignored the request for a bounty. But even if the person making the claim had been telling the truth, it would have been illegal to pay out the reward to them.
Coinbase also emphasized that threats or other extortion attempts will not result in a bug bounty payout:
“Most important of all — a bug bounty…
Click Here to Read the Full Original Article at Cointelegraph.com News…
