[{"id":3771739,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# Web3 bugs\n\nPlease submit all web3 related bugs here on Cantina: https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n* github.com/coinbase/cb-mpc-go (bounty ineligible)\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\nTo keep this bounty focused on issues that affect real integrations, eligible reports should target vulnerabilities reachable through the library's supported public APIs. High-level protocol entry points are exposed via the public C++ headers under include/cbmpc/api/ (e.g., signing, DKG, TDH2).\n\nFor Medium and above, submissions must include a proof-of-concept that triggers the issue through those public APIs. Reports may reference or require fixes in include-internal/ for root cause and impact analysis, but the PoC must not use include-internal/ as the entry point. For MPC protocol-break PoCs, we expect the participating parties to run independently, ideally on separate machines. At least one honest party should use unmodified library code, and the malicious party should interact only through the protocol boundary exposed by the supported public APIs. Demo applications and sample code under demo-*, and the C API headers under include/cbmpc/c_api/*, are not in scope for this bug bounty program.\n\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | Open Source Bugs (cb-mpc): not applicable   |  Up to $1,000,000 | \n| **Critical**      | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols (e.g., Signing,  DKG, TDH2 but not lower level APIs) that are easily exploitable and can lead to key compromise. Examples: significant disclosure of sensitive data (key material), remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols that are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | Open Source Bugs (cb-mpc): Vulnerabilities in less commonly used scenarios or hard to exploit or in lower level cryptographic APIs (e.g., ZKPs, Commitment, etc). Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | Open Source Bugs (cb-mpc):  Non-cryptographic issues including low-level non-cryptographic APIs, crashes, or deprecated cryptographic code. Any vulnerability in code that is released under “beta” is always low. Fixed immediately in latest development versions; may be backported to older versions.                              |  $200 |\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-26T17:44:46.173Z"},{"id":3768187,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# Web3 bugs\n\nPlease submit all web3 related bugs here on Cantina: https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | Open Source Bugs (cb-mpc): not applicable   |  Up to $1,000,000 | \n| **Critical**      | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols (e.g., Signing,  DKG, TDH2 but not lower level APIs) that are easily exploitable and can lead to key compromise. Examples: significant disclosure of sensitive data (key material), remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols that are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | Open Source Bugs (cb-mpc): Vulnerabilities in less commonly used scenarios or hard to exploit or in lower level cryptographic APIs (e.g., ZKPs, Commitment, etc). Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | Open Source Bugs (cb-mpc):  Non-cryptographic issues including low-level non-cryptographic APIs, crashes, or deprecated cryptographic code. Any vulnerability in code that is released under “beta” is always low. Fixed immediately in latest development versions; may be backported to older versions.                              |  $200 |\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-11T22:28:44.049Z"},{"id":3768001,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# NEW UPDATE New Hostname \u0026 Endpoints Files\n\nWe have attached 2 files to our program page. These include Coinbase owned endpoints and hosts in json format. We hope these additional resources allow you to identify additional bugs in our platform. These will be updated regularly.\n{F5188752}\n{F5188753}\n\n# Web3 bugs\n\nPlease submit all web3 related bugs here on Cantina: https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | Open Source Bugs (cb-mpc): not applicable   |  Up to $1,000,000 | \n| **Critical**      | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols (e.g., Signing,  DKG, TDH2 but not lower level APIs) that are easily exploitable and can lead to key compromise. Examples: significant disclosure of sensitive data (key material), remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols that are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | Open Source Bugs (cb-mpc): Vulnerabilities in less commonly used scenarios or hard to exploit or in lower level cryptographic APIs (e.g., ZKPs, Commitment, etc). Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | Open Source Bugs (cb-mpc):  Non-cryptographic issues including low-level non-cryptographic APIs, crashes, or deprecated cryptographic code. Any vulnerability in code that is released under “beta” is always low. Fixed immediately in latest development versions; may be backported to older versions.                              |  $200 |\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-05T16:47:10.175Z"},{"id":3768000,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# NEW UPDATE New Hostname \u0026 Endpoints Files\n\nWe have attached 2 files to our program page. These include Coinbase owned endpoints and hosts in json format. We hope these additional resources allow you to identify additional bugs in our platform. These will be updated regularly.\n{}\n{}\n\n# Web3 bugs\n\nPlease submit all web3 related bugs here on Cantina: https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | Open Source Bugs (cb-mpc): not applicable   |  Up to $1,000,000 | \n| **Critical**      | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols (e.g., Signing,  DKG, TDH2 but not lower level APIs) that are easily exploitable and can lead to key compromise. Examples: significant disclosure of sensitive data (key material), remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols that are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | Open Source Bugs (cb-mpc): Vulnerabilities in less commonly used scenarios or hard to exploit or in lower level cryptographic APIs (e.g., ZKPs, Commitment, etc). Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | Open Source Bugs (cb-mpc):  Non-cryptographic issues including low-level non-cryptographic APIs, crashes, or deprecated cryptographic code. Any vulnerability in code that is released under “beta” is always low. Fixed immediately in latest development versions; may be backported to older versions.                              |  $200 |\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-05T16:46:43.490Z"},{"id":3767997,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# NEW UPDATE New Hostname \u0026 Endpoints Files\n\nWe have attached 2 files to our program page. These include Coinbase owned endpoints and hosts in json format. We hope these additional resources allow you to identify additional bugs in our platform. These will be updated regularly.\n{F5188536}\n{F5188537}\n\n# Web3 bugs\n\nPlease submit all web3 related bugs here on Cantina: https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | Open Source Bugs (cb-mpc): not applicable   |  Up to $1,000,000 | \n| **Critical**      | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols (e.g., Signing,  DKG, TDH2 but not lower level APIs) that are easily exploitable and can lead to key compromise. Examples: significant disclosure of sensitive data (key material), remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols that are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | Open Source Bugs (cb-mpc): Vulnerabilities in less commonly used scenarios or hard to exploit or in lower level cryptographic APIs (e.g., ZKPs, Commitment, etc). Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | Open Source Bugs (cb-mpc):  Non-cryptographic issues including low-level non-cryptographic APIs, crashes, or deprecated cryptographic code. Any vulnerability in code that is released under “beta” is always low. Fixed immediately in latest development versions; may be backported to older versions.                              |  $200 |\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-05T15:57:37.162Z"},{"id":3767996,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# 2026 UPDATE New Hostname \u0026 Endpoints Files\n\nWe have attached 2 files to our program page. These include Coinbase owned endpoints and hosts in json format. We hope these additional resources allow you to identify additional bugs in our platform. These will be updated regularly.\n{F5188536}\n{F5188537}\n\n# Web3 bugs\n\nPlease submit all web3 related bugs here on Cantina: https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | Open Source Bugs (cb-mpc): not applicable   |  Up to $1,000,000 | \n| **Critical**      | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols (e.g., Signing,  DKG, TDH2 but not lower level APIs) that are easily exploitable and can lead to key compromise. Examples: significant disclosure of sensitive data (key material), remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols that are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | Open Source Bugs (cb-mpc): Vulnerabilities in less commonly used scenarios or hard to exploit or in lower level cryptographic APIs (e.g., ZKPs, Commitment, etc). Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | Open Source Bugs (cb-mpc):  Non-cryptographic issues including low-level non-cryptographic APIs, crashes, or deprecated cryptographic code. Any vulnerability in code that is released under “beta” is always low. Fixed immediately in latest development versions; may be backported to older versions.                              |  $200 |\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-05T15:56:31.170Z"},{"id":3767995,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# 2026 UPDATE: New Hostname/Endpoints Files\n\nWe have attached 2 files to our program page. These include Coinbase owned endpoints and hosts in json format. We hope these additional resources allow you to identify additional bugs in our platform. These will be updated regularly.\n{F5188536}\n{F5188537}\n\n# Web3 bugs\n\nPlease submit all web3 related bugs here on Cantina: https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | Open Source Bugs (cb-mpc): not applicable   |  Up to $1,000,000 | \n| **Critical**      | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols (e.g., Signing,  DKG, TDH2 but not lower level APIs) that are easily exploitable and can lead to key compromise. Examples: significant disclosure of sensitive data (key material), remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols that are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | Open Source Bugs (cb-mpc): Vulnerabilities in less commonly used scenarios or hard to exploit or in lower level cryptographic APIs (e.g., ZKPs, Commitment, etc). Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | Open Source Bugs (cb-mpc):  Non-cryptographic issues including low-level non-cryptographic APIs, crashes, or deprecated cryptographic code. Any vulnerability in code that is released under “beta” is always low. Fixed immediately in latest development versions; may be backported to older versions.                              |  $200 |\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-05T15:55:20.414Z"},{"id":3767994,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# 2026 UPDATE: New Hostname/Endpoints Files\nWe have attached 2 files to our program page. These include Coinbase owned endpoints and hosts in json format. We hope these additional resources allow you to identify additional bugs in our platform. These will be updated regularly.\n{F5188536}\n{F5188537}\n\n# Web3 bugs\n\nPlease submit all web3 related bugs here on Cantina: https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | Open Source Bugs (cb-mpc): not applicable   |  Up to $1,000,000 | \n| **Critical**      | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols (e.g., Signing,  DKG, TDH2 but not lower level APIs) that are easily exploitable and can lead to key compromise. Examples: significant disclosure of sensitive data (key material), remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols that are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | Open Source Bugs (cb-mpc): Vulnerabilities in less commonly used scenarios or hard to exploit or in lower level cryptographic APIs (e.g., ZKPs, Commitment, etc). Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | Open Source Bugs (cb-mpc):  Non-cryptographic issues including low-level non-cryptographic APIs, crashes, or deprecated cryptographic code. Any vulnerability in code that is released under “beta” is always low. Fixed immediately in latest development versions; may be backported to older versions.                              |  $200 |\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-05T15:54:36.105Z"},{"id":3767993,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# 2026 UPDATE: New Hostname/Endpoints Files\nWe have attached 2 files to our program page. These include Coinbase owned endpoints and hosts in json format. We hope these additional resources allow you to identify additional bugs in our platform. These will be updated regularly.\n\n# Web3 bugs\n\nPlease submit all web3 related bugs here on Cantina: https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | Open Source Bugs (cb-mpc): not applicable   |  Up to $1,000,000 | \n| **Critical**      | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols (e.g., Signing,  DKG, TDH2 but not lower level APIs) that are easily exploitable and can lead to key compromise. Examples: significant disclosure of sensitive data (key material), remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols that are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | Open Source Bugs (cb-mpc): Vulnerabilities in less commonly used scenarios or hard to exploit or in lower level cryptographic APIs (e.g., ZKPs, Commitment, etc). Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | Open Source Bugs (cb-mpc):  Non-cryptographic issues including low-level non-cryptographic APIs, crashes, or deprecated cryptographic code. Any vulnerability in code that is released under “beta” is always low. Fixed immediately in latest development versions; may be backported to older versions.                              |  $200 |\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-05T15:53:08.962Z"},{"id":3767125,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# Web3 bugs\n\nPlease submit all web3 related bugs here on Cantina: https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | Open Source Bugs (cb-mpc): not applicable   |  Up to $1,000,000 | \n| **Critical**      | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols (e.g., Signing,  DKG, TDH2 but not lower level APIs) that are easily exploitable and can lead to key compromise. Examples: significant disclosure of sensitive data (key material), remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols that are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | Open Source Bugs (cb-mpc): Vulnerabilities in less commonly used scenarios or hard to exploit or in lower level cryptographic APIs (e.g., ZKPs, Commitment, etc). Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | Open Source Bugs (cb-mpc):  Non-cryptographic issues including low-level non-cryptographic APIs, crashes, or deprecated cryptographic code. Any vulnerability in code that is released under “beta” is always low. Fixed immediately in latest development versions; may be backported to older versions.                              |  $200 |\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-08T17:45:10.496Z"},{"id":3767117,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# Zero Days\n\nWhen a zero-day vulnerability is publicly disclosed, Coinbase requires a 2-week period before accepting reports related to that specific vulnerability. This window allows our security team adequate time to assess the impact, develop remediation strategies, and implement necessary fixes across our infrastructure. We appreciate the security research community's understanding that duplicate reports during this period may not be eligible for bounty rewards, as our focus shifts to rapid response and remediation of the disclosed issue.\n\nThis policy strikes a balance between acknowledging researchers' efforts while giving your team breathing room to respond effectively to critical disclosures.\n\n\n# Web3 bugs\n\nPlease submit all web3 related bugs here on Cantina: https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | Open Source Bugs (cb-mpc): not applicable   |  Up to $1,000,000 | \n| **Critical**      | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols (e.g., Signing,  DKG, TDH2 but not lower level APIs) that are easily exploitable and can lead to key compromise. Examples: significant disclosure of sensitive data (key material), remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols that are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | Open Source Bugs (cb-mpc): Vulnerabilities in less commonly used scenarios or hard to exploit or in lower level cryptographic APIs (e.g., ZKPs, Commitment, etc). Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | Open Source Bugs (cb-mpc):  Non-cryptographic issues including low-level non-cryptographic APIs, crashes, or deprecated cryptographic code. Any vulnerability in code that is released under “beta” is always low. Fixed immediately in latest development versions; may be backported to older versions.                              |  $200 |\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-08T16:15:56.157Z"},{"id":3766775,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# Web3 bugs\n\nPlease submit all web3 related bugs here on Cantina: https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | Open Source Bugs (cb-mpc): not applicable   |  Up to $1,000,000 | \n| **Critical**      | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols (e.g., Signing,  DKG, TDH2 but not lower level APIs) that are easily exploitable and can lead to key compromise. Examples: significant disclosure of sensitive data (key material), remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | Open Source Bugs (cb-mpc): High-severity vulnerabilities in high-level protocols that are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | Open Source Bugs (cb-mpc): Vulnerabilities in less commonly used scenarios or hard to exploit or in lower level cryptographic APIs (e.g., ZKPs, Commitment, etc). Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | Open Source Bugs (cb-mpc):  Non-cryptographic issues including low-level non-cryptographic APIs, crashes, or deprecated cryptographic code. Any vulnerability in code that is released under “beta” is always low. Fixed immediately in latest development versions; may be backported to older versions.                              |  $200 |\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-01T17:48:08.326Z"},{"id":3762984,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# Web3 bugs\n\nPlease submit all web3 related bugs here on Cantina: https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2/Web3**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2/Web3**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2/Web3**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2/Web3**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2/Web3**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-18T18:47:30.529Z"},{"id":3759040,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2/Web3**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2/Web3**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2/Web3**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2/Web3**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2/Web3**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-14T19:07:00.942Z"},{"id":3756384,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# A Note on AI Generated Reports\n\nWe’ve seen an increase in fully AI generated submissions that lack real-world applicability. While we support the use of AI as a tool to enhance clarity or structure in reports, submissions that rely solely on AI, with no original researcher insight, testing, or validation, do not meet our quality standards. Reports that are clearly automated with no meaningful human input will be immediately closed. We value technical depth, real evidence, and critical thinking. AI should support your research, not replace it.\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base-org\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2/Web3**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2/Web3**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2/Web3**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2/Web3**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2/Web3**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-27T16:15:39.764Z"},{"id":3754079,"new_policy":"Coinbase recognizes the importance and value of security researchers' efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n**Note:** This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form](https://support.coinbase.com/customer/portal/emails/new).\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency. In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (\"Sensitive Data\"):\n\n* Digital and fiat currency balances\n* Customer information\n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers. A report must be a valid, in-scope report to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# Program Overview\n\nThe Bug Bounty Program covers all software vulnerabilities in services provided by Coinbase, including our open source projects hosted at:\n\n* github.com/coinbase\n* github.com/base-org\n* github.com/coinbase/cb-mpc\n\n# Reward Structure\n\nWe have updated our payout structure with rewards ranging from $200 to $1,000,000 based on severity tiers. We have also combined our severity matrices to make our grading more streamlined and clear to researchers:\n\n| Vulnerability Tier          | Description                           | Reward                                             |\n|:-------------------|:--------------------------------|:------------------------------------------|\n| **Extreme**      | **Web2/Web3**: Vulnerabilities affecting critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets, funds, and/or wallet private keys.   |  Up to $1,000,000 | \n| **Critical**      | **Web2/Web3**: Vulnerabilities that could influence market swings via Coinbase API or Services, Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts. Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem. **Open Source Bugs**: High-severity vulnerabilities affecting common configurations and easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions.  | $50,000 | \n| **High**          | **Web2/Web3**: Bypassing Coinbase fee structures impacting the majority of users, PII leaks affecting \u003c15% of users, Bypass of KYC restrictions, 2FA bypass impacting one Coinbase product. Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. **Open Source Bugs**: High-severity vulnerabilities affecting less common configurations or less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. | $15,000 |\n| **Medium**        | **Web2/Web3**: Fee structure bypasses affecting a moderate number of users, Semi-sensitive information leaks affecting \u003c15% of users, Flaws preventing \u003e1000 users from purchasing/trading. Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users. **Open Source Bugs**: Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates.            |  $2,000 |\n| **Low**           | **Web2/Web3**: Financial loss of less than $100,000 for Coinbase owned systems, Default security misconfigurations, Localized exploitation within a constrained environment. Minor monetary impacts to Coinbase. **Open Source Bugs**: Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions.                               |  $200 |\n\n### Additional Information\n* **Risk Rating System**: We use an internal risk rating system with predefined metrics related to monetary impact to determine final payouts.\n* **PII Leaks**: Evaluated through our internal scoring system based on the specifics of the leaked information and associated risk.\n\n# Base Network\n\nWith the launch of our Layer 2 blockchain Base, we're expanding our scope to address critical vulnerabilities, specifically targeting memory pool information leaks. These vulnerabilities could afford unauthorized access to pending transaction data, exposing sensitive information to MEV searchers.\n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism). Researchers should also refer to Optimism's bug bounty program [here](https://immunefi.com/bounty/optimism/) for findings that stem from the core framework or protocol.\n\n# CB-MPC (Coinbase Multi-Party Computation) Open Source Release\n\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n\n* Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n* Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms. We believe it is critical to provide these assurances to allow security researchers to fully investigate potential security vulnerabilities.\n\n## Researcher Requirements\n\nResponsible Disclosure includes:\n\n* Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process.\n* Making a good faith effort to preserve the confidentiality and integrity of Coinbase customer data.\n* Not defrauding Coinbase customers or Coinbase itself.\n* Not profiting from vulnerabilities outside of Bug Bounty Program payouts.\n* Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against employees to be a violation of Program Policies. Researchers engaging in such attacks will be banned from the program.\n\nResearchers that engage in extortion attempts will be banned and reported to law enforcement.\n\n# Report Evaluation\n\nA valid report must demonstrate a software vulnerability in a Coinbase service that harms Coinbase or its customers. Reports with clear Proof of Concept or specific step-by-step instructions are more effective and more likely to be deemed valid.\nSeverity is determined based on two factors: Impact and Exploitability.\n\n**Impact** describes the effects of successful exploitation upon Coinbase systems or customers, primarily examining effects on confidentiality, integrity, or availability of information.\n\n**Exploitability** describes the difficulty of exploitation, based on prerequisites, level of access required, availability of critical information, and likelihood of alignment of required factors outside the attacker's direct control.\nA report must also follow [HackerOne's Code of Conduct](https://www.hackerone.com/policies/code-of-conduct) and all rules on the Coinbase HackerOne page.\n\n## Note on Rate Limiting submissions:\n\n* A clear bypass must demonstrate access to actual user data or funds, not test accounts.\n* Researchers should be aware that rate limiting exists and has been evaluated internally and by other researchers.\n* Compensating controls should be considered when rating the criticality.\n\n# Report Closure\n\nCoinbase reviews all findings reported via our Bug Bounty Program. If the description is unclear, we will request additional information. After internal review, bugs that are not reproducible, invalid, or informative will be closed.\n\nAfter a bug is paid out, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily mean the bug has been remediated, but indicates the ticket has been addressed and a final decision has been made.\n\n**Note**: Researchers must provide detailed information and supporting evidence. Reports submitted outside of the HackerOne platform will not be considered for bounty.\n\n# Scope\n\nThe program covers all software vulnerabilities in services provided by Coinbase.\n\n**In-scope domains:**\n\n* .coinbase.com (All assets on coinbase.com and subdomains, excepting third-party services)\n* .cbhq.net (All assets on cbhq.net and subdomains, excepting third-party services)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* .base.org\n* .tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted.\n\n**Out of scope:**\n\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues)\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries\n* Vulnerabilities in third-party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials by themselves\n\nIf you believe an asset should be in scope, please submit a report explaining why.\n\n# Eligibility\n\nTo participate, you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation\n* Be at least 14 years old with legal capacity to agree to these terms\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member, contractor, or service provider\n\nAll submissions must be through HackerOne.\n\n# Fine Print\n\nWe reserve the right to modify or cancel the Bug Bounty Program at any time. Anonymous reports through HackerOne are acceptable but not eligible for bounty awards.\nThe current Bug Bounty Program is v4.2. Please also refer to [HackerOne's Finder Terms and Conditions](https://www.hackerone.com/terms/finder).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-21T17:02:53.860Z"},{"id":3752495,"new_policy":"#IMPORTANT UPDATE: \n\n** March 27, 2025 Update**\n***CB-MPC (Coinbase Multi-Party Computation) Open Source Release***\nCoinbase is proud to announce the open-sourcing of our MPC cryptography library! You can access it here: https://github.com/coinbase/cb-mpc. This significant milestone underscores our commitment to transparency, security, and promoting innovation within the cryptographic community.\n\nWith this release, we aim to:\n- Enhance the security of the field by enabling developers to quickly deploy threshold signing/MPC for protecting cryptoassets in their applications.\n- Increase transparency regarding Coinbase’s use of MPC, and encourage collaboration within the developer community.\n\nNote that while the code is based on Coinbase's production environment, it is not exactly the same, and it has been modified to make it useful as a general-purpose library.\n\nThe primary focus of our bug bounty program will include identifying and addressing potential vulnerabilities in our open-source MPC implementation. Given the sensitive nature of these cryptographic protocols, it's imperative to safeguard against any exploits that could compromise cryptoassets. Responsible disclosure via the Bug Bounty Program or directly is encouraged (for direct disclosure see https://github.com/coinbase/cb-mpc/blob/master/SECURITY.md).\n\nThrough community collaboration and vigilant security reviews, we aspire to provide an easy to use and highly secure MPC library to help developers secure cryptoassets across the entire cryptocurrency and blockchain ecosystem.\n\n\n**January 10, 2025 Update**\nWe are now publicizing our open source projects for our bug bounty program. These open source projects can be found here:\n\n* github.com/coinbase\n* github.com/base-org\n\nPlease reference this matrix in regards to all open source related bugs:\n\n## Open Source Severity Matrix\n\n| Vulnerability Tier | Explanation |\n|:------------- | :-----|\n| Critical | High-severity vulnerabilities that affect common configurations and are easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions. |\n| High | High-severity vulnerabilities that affect less common configurations or are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. |\n| Medium |  Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates. |\n| Low | Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions. |\n|||\n\n**April 16, 2024 Update**\nWe have included a severity matrix for web3 related bugs into the program page below.\n\n**April 10, 2024 Update**\nWe have added a new section below regarding all submissions for our L2 BASE network and related assets. This section outlines new items in-scope, and areas of focus for our researchers.\n\n**August 28, 2023 Update**\nWe would like to clarify that our severity ratings and payouts at Coinbase do not rely on the CVSS (Common Vulnerability Scoring System) score, other companies' payouts, or even examples listed on our program page below. These items may be used as a guideline to approach a final decision. Instead, we utilize an internal scoring metric to assess and determine the severity of reported vulnerabilities and their respective payouts. The CVSS score serves as a guideline for researchers to submit their assessment of severity, based on their evaluation. However, it is important to note that Coinbase is not bound to payout solely based on the CVSS metrics, any other reports referenced on the HackerOne platform, or any examples listed on our program page. All payouts are subject to the discretion of our Coinbase security team, who carefully evaluate the reported vulnerabilities and their potential impact.\n\n**August 22, 2023 Update**\n\nWe are changing our internal tracking process for bugs. After a bug is paid out, even after it is triaged, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily the mean the bug has been remediate, but it instead means the ticket has been addressed and the final decision regarding the bug has been decided upon. If you have any questions about this, please reach out to us via HackerOne.\n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# BASE Network (Updated April 10, 2024)\n\nWith the launch of our Layer 2 blockchain Base, we're intensifying our focus on securing transactions within the cryptocurrency ecosystem. As leaders in this space, we prioritize stringent security protocols to safeguard user assets. To this end, we're expanding our scope to address critical vulnerabilities, specifically targeting **memory pool information leaks**. These vulnerabilities pose a significant threat, potentially affording unauthorized access to pending transaction data, thereby exposing sensitive information to MEV searchers. By mitigating these risks, we aim to enhance the resilience of our platform against exploitation, ensuring the confidentiality and integrity of all transactions. \n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism), so researches should also refer to  **Optimism's** bug bounty program which can be found [here](https://immunefi.com/bounty/optimism/), for any findings that stem from the core framework or protocol.\nOptimism is a project dedicated to scaling Ethereum's technology and expanding its ability to coordinate people from across the world to build effective decentralized economies and governance systems.\n\n# Web3 Components Severity Matrix\n\nThe following severity matrix serves as a guideline for assessing potential payouts for bugs related to our Web3 components. Please note that while this chart provides a general framework, actual payouts may vary. Factors such as the extent of exposure and risk involved are also considered in our final payout decisions.\n\n## Severity Levels and Examples\n\n| Severity          | Examples                                                                 |\n|:-------------------|:--------------------------------------------------------------------------|\n| **Critical**      | Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem.  |\n| **High**          | Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. |\n| **Medium**        | Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users.              |\n| **Low**           | Minor monetary impacts to Coinbase.                                      |\n\n### Additional Information\n\n- **Risk Rating System**: We use an internal risk rating system that includes specific metrics related to monetary impact. These metrics are confidential and are applied internally to determine the final payout.\n- **PII Leaks**: Personal Identifiable Information (PII) leaks are evaluated through our internal scoring system, which categorizes the severity based on the specifics of the leaked information and the associated risk.\n\nThis matrix is part of our ongoing effort to ensure transparency and fairness in our bug bounty program while protecting the integrity of our systems and the privacy of our users.\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers\n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process. https://www.hackerone.com/disclosure-guidelines\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nA report must also follow all the rules of HackerOne's Code of  Conduct found here: https://www.hackerone.com/policies/code-of-conduct along with all rules found on our Coinbase HackerOne page.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials (database dumps) by themselves that are found on the internet are out of scope. If you are able to leverage our current systems to receive sensitive user information the report will be considered.\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-27T15:40:55.371Z"},{"id":3747807,"new_policy":"#IMPORTANT UPDATE: \n\n**January 10, 2025 Update**\nWe are now publicizing our open source projects for our bug bounty program. These open source projects can be found here:\n\n* github.com/coinbase\n* github.com/base-org\n\nPlease reference this matrix in regards to all open source related bugs:\n\n## Open Source Severity Matrix\n\n| Vulnerability Tier | Explanation |\n|:------------- | :-----|\n| Critical | High-severity vulnerabilities that affect common configurations and are easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions. |\n| High | High-severity vulnerabilities that affect less common configurations or are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. |\n| Medium |  Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates. |\n| Low | Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions. |\n|||\n\n**April 16, 2024 Update**\nWe have included a severity matrix for web3 related bugs into the program page below.\n\n**April 10, 2024 Update**\nWe have added a new section below regarding all submissions for our L2 BASE network and related assets. This section outlines new items in-scope, and areas of focus for our researchers.\n\n**August 28, 2023 Update**\nWe would like to clarify that our severity ratings and payouts at Coinbase do not rely on the CVSS (Common Vulnerability Scoring System) score, other companies' payouts, or even examples listed on our program page below. These items may be used as a guideline to approach a final decision. Instead, we utilize an internal scoring metric to assess and determine the severity of reported vulnerabilities and their respective payouts. The CVSS score serves as a guideline for researchers to submit their assessment of severity, based on their evaluation. However, it is important to note that Coinbase is not bound to payout solely based on the CVSS metrics, any other reports referenced on the HackerOne platform, or any examples listed on our program page. All payouts are subject to the discretion of our Coinbase security team, who carefully evaluate the reported vulnerabilities and their potential impact.\n\n**August 22, 2023 Update**\n\nWe are changing our internal tracking process for bugs. After a bug is paid out, even after it is triaged, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily the mean the bug has been remediate, but it instead means the ticket has been addressed and the final decision regarding the bug has been decided upon. If you have any questions about this, please reach out to us via HackerOne.\n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# BASE Network (Updated April 10, 2024)\n\nWith the launch of our Layer 2 blockchain Base, we're intensifying our focus on securing transactions within the cryptocurrency ecosystem. As leaders in this space, we prioritize stringent security protocols to safeguard user assets. To this end, we're expanding our scope to address critical vulnerabilities, specifically targeting **memory pool information leaks**. These vulnerabilities pose a significant threat, potentially affording unauthorized access to pending transaction data, thereby exposing sensitive information to MEV searchers. By mitigating these risks, we aim to enhance the resilience of our platform against exploitation, ensuring the confidentiality and integrity of all transactions. \n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism), so researches should also refer to  **Optimism's** bug bounty program which can be found [here](https://immunefi.com/bounty/optimism/), for any findings that stem from the core framework or protocol.\nOptimism is a project dedicated to scaling Ethereum's technology and expanding its ability to coordinate people from across the world to build effective decentralized economies and governance systems.\n\n# Web3 Components Severity Matrix\n\nThe following severity matrix serves as a guideline for assessing potential payouts for bugs related to our Web3 components. Please note that while this chart provides a general framework, actual payouts may vary. Factors such as the extent of exposure and risk involved are also considered in our final payout decisions.\n\n## Severity Levels and Examples\n\n| Severity          | Examples                                                                 |\n|:-------------------|:--------------------------------------------------------------------------|\n| **Critical**      | Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem.  |\n| **High**          | Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. |\n| **Medium**        | Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users.              |\n| **Low**           | Minor monetary impacts to Coinbase.                                      |\n\n### Additional Information\n\n- **Risk Rating System**: We use an internal risk rating system that includes specific metrics related to monetary impact. These metrics are confidential and are applied internally to determine the final payout.\n- **PII Leaks**: Personal Identifiable Information (PII) leaks are evaluated through our internal scoring system, which categorizes the severity based on the specifics of the leaked information and the associated risk.\n\nThis matrix is part of our ongoing effort to ensure transparency and fairness in our bug bounty program while protecting the integrity of our systems and the privacy of our users.\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers\n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process. https://www.hackerone.com/disclosure-guidelines\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nA report must also follow all the rules of HackerOne's Code of  Conduct found here: https://www.hackerone.com/policies/code-of-conduct along with all rules found on our Coinbase HackerOne page.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials (database dumps) by themselves that are found on the internet are out of scope. If you are able to leverage our current systems to receive sensitive user information the report will be considered.\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-10T22:41:04.743Z"},{"id":3747783,"new_policy":"#IMPORTANT UPDATE: \n\n**January 10, 2025 Update**\nWe are now publicizing our open source projects for our bug bounty program. These open source projects can be found here:\n\n* github.com/coinbase\n* github.com/base-org\n\nPlease reference this matrix in regards to all open source related bugs:\n\n## Open Source Severity Matrix\n\n| Vulnerability Tier | Explanation |\n|:------------- | -----:|\n| Critical | High-severity vulnerabilities that affect common configurations and are easily exploitable. Examples: significant disclosure of sensitive data, remote code execution. Private by default; triggers new releases for all supported versions. |\n| High | High-severity vulnerabilities that affect less common configurations or are less easily exploitable. Private by default; triggers new release for all supported versions within a reasonable timeframe. |\n| Medium |  Issues like crashes, local flaws, and protocol vulnerabilities in less commonly used scenarios. Private until next release; released with subsequent updates. |\n| Low | Non-cryptographic issues or deprecated cryptographic code. Fixed immediately in latest development versions; may be backported to older versions. |\n|||\n\n**April 16, 2024 Update**\nWe have included a severity matrix for web3 related bugs into the program page below.\n\n**April 10, 2024 Update**\nWe have added a new section below regarding all submissions for our L2 BASE network and related assets. This section outlines new items in-scope, and areas of focus for our researchers.\n\n**August 28, 2023 Update**\nWe would like to clarify that our severity ratings and payouts at Coinbase do not rely on the CVSS (Common Vulnerability Scoring System) score, other companies' payouts, or even examples listed on our program page below. These items may be used as a guideline to approach a final decision. Instead, we utilize an internal scoring metric to assess and determine the severity of reported vulnerabilities and their respective payouts. The CVSS score serves as a guideline for researchers to submit their assessment of severity, based on their evaluation. However, it is important to note that Coinbase is not bound to payout solely based on the CVSS metrics, any other reports referenced on the HackerOne platform, or any examples listed on our program page. All payouts are subject to the discretion of our Coinbase security team, who carefully evaluate the reported vulnerabilities and their potential impact.\n\n**August 22, 2023 Update**\n\nWe are changing our internal tracking process for bugs. After a bug is paid out, even after it is triaged, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily the mean the bug has been remediate, but it instead means the ticket has been addressed and the final decision regarding the bug has been decided upon. If you have any questions about this, please reach out to us via HackerOne.\n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# BASE Network (Updated April 10, 2024)\n\nWith the launch of our Layer 2 blockchain Base, we're intensifying our focus on securing transactions within the cryptocurrency ecosystem. As leaders in this space, we prioritize stringent security protocols to safeguard user assets. To this end, we're expanding our scope to address critical vulnerabilities, specifically targeting **memory pool information leaks**. These vulnerabilities pose a significant threat, potentially affording unauthorized access to pending transaction data, thereby exposing sensitive information to MEV searchers. By mitigating these risks, we aim to enhance the resilience of our platform against exploitation, ensuring the confidentiality and integrity of all transactions. \n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism), so researches should also refer to  **Optimism's** bug bounty program which can be found [here](https://immunefi.com/bounty/optimism/), for any findings that stem from the core framework or protocol.\nOptimism is a project dedicated to scaling Ethereum's technology and expanding its ability to coordinate people from across the world to build effective decentralized economies and governance systems.\n\n# Web3 Components Severity Matrix\n\nThe following severity matrix serves as a guideline for assessing potential payouts for bugs related to our Web3 components. Please note that while this chart provides a general framework, actual payouts may vary. Factors such as the extent of exposure and risk involved are also considered in our final payout decisions.\n\n## Severity Levels and Examples\n\n| Severity          | Examples                                                                 |\n|:-------------------|:--------------------------------------------------------------------------|\n| **Critical**      | Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem.  |\n| **High**          | Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. |\n| **Medium**        | Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users.              |\n| **Low**           | Minor monetary impacts to Coinbase.                                      |\n\n### Additional Information\n\n- **Risk Rating System**: We use an internal risk rating system that includes specific metrics related to monetary impact. These metrics are confidential and are applied internally to determine the final payout.\n- **PII Leaks**: Personal Identifiable Information (PII) leaks are evaluated through our internal scoring system, which categorizes the severity based on the specifics of the leaked information and the associated risk.\n\nThis matrix is part of our ongoing effort to ensure transparency and fairness in our bug bounty program while protecting the integrity of our systems and the privacy of our users.\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers\n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process. https://www.hackerone.com/disclosure-guidelines\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nA report must also follow all the rules of HackerOne's Code of  Conduct found here: https://www.hackerone.com/policies/code-of-conduct along with all rules found on our Coinbase HackerOne page.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials (database dumps) by themselves that are found on the internet are out of scope. If you are able to leverage our current systems to receive sensitive user information the report will be considered.\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-10T16:59:37.107Z"},{"id":3723945,"new_policy":"#IMPORTANT UPDATE: \n\n**April 16, 2024 Update**\nWe have included a severity matrix for web3 related bugs into the program page below.\n\n**April 10, 2024 Update**\nWe have added a new section below regarding all submissions for our L2 BASE network and related assets. This section outlines new items in-scope, and areas of focus for our researchers.\n\n**August 28, 2023 Update**\nWe would like to clarify that our severity ratings and payouts at Coinbase do not rely on the CVSS (Common Vulnerability Scoring System) score, other companies' payouts, or even examples listed on our program page below. These items may be used as a guideline to approach a final decision. Instead, we utilize an internal scoring metric to assess and determine the severity of reported vulnerabilities and their respective payouts. The CVSS score serves as a guideline for researchers to submit their assessment of severity, based on their evaluation. However, it is important to note that Coinbase is not bound to payout solely based on the CVSS metrics, any other reports referenced on the HackerOne platform, or any examples listed on our program page. All payouts are subject to the discretion of our Coinbase security team, who carefully evaluate the reported vulnerabilities and their potential impact.\n\n**August 22, 2023 Update**\n\nWe are changing our internal tracking process for bugs. After a bug is paid out, even after it is triaged, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily the mean the bug has been remediate, but it instead means the ticket has been addressed and the final decision regarding the bug has been decided upon. If you have any questions about this, please reach out to us via HackerOne.\n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# BASE Network (Updated April 10, 2024)\n\nWith the launch of our Layer 2 blockchain Base, we're intensifying our focus on securing transactions within the cryptocurrency ecosystem. As leaders in this space, we prioritize stringent security protocols to safeguard user assets. To this end, we're expanding our scope to address critical vulnerabilities, specifically targeting **memory pool information leaks**. These vulnerabilities pose a significant threat, potentially affording unauthorized access to pending transaction data, thereby exposing sensitive information to MEV searchers. By mitigating these risks, we aim to enhance the resilience of our platform against exploitation, ensuring the confidentiality and integrity of all transactions. \n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism), so researches should also refer to  **Optimism's** bug bounty program which can be found [here](https://immunefi.com/bounty/optimism/), for any findings that stem from the core framework or protocol.\nOptimism is a project dedicated to scaling Ethereum's technology and expanding its ability to coordinate people from across the world to build effective decentralized economies and governance systems.\n\n# Web3 Components Severity Matrix\n\nThe following severity matrix serves as a guideline for assessing potential payouts for bugs related to our Web3 components. Please note that while this chart provides a general framework, actual payouts may vary. Factors such as the extent of exposure and risk involved are also considered in our final payout decisions.\n\n## Severity Levels and Examples\n\n| Severity          | Examples                                                                 |\n|:-------------------|:--------------------------------------------------------------------------|\n| **Critical**      | Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem.  |\n| **High**          | Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. |\n| **Medium**        | Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users.              |\n| **Low**           | Minor monetary impacts to Coinbase.                                      |\n\n### Additional Information\n\n- **Risk Rating System**: We use an internal risk rating system that includes specific metrics related to monetary impact. These metrics are confidential and are applied internally to determine the final payout.\n- **PII Leaks**: Personal Identifiable Information (PII) leaks are evaluated through our internal scoring system, which categorizes the severity based on the specifics of the leaked information and the associated risk.\n\nThis matrix is part of our ongoing effort to ensure transparency and fairness in our bug bounty program while protecting the integrity of our systems and the privacy of our users.\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers\n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process. https://www.hackerone.com/disclosure-guidelines\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nA report must also follow all the rules of HackerOne's Code of  Conduct found here: https://www.hackerone.com/policies/code-of-conduct along with all rules found on our Coinbase HackerOne page.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n* Publicly available leaked credentials (database dumps) by themselves that are found on the internet are out of scope. If you are able to leverage our current systems to receive sensitive user information the report will be considered.\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-21T20:04:07.036Z"},{"id":3723592,"new_policy":"#IMPORTANT UPDATE: \n\n**April 16, 2024 Update**\nWe have included a severity matrix for web3 related bugs into the program page below.\n\n**April 10, 2024 Update**\nWe have added a new section below regarding all submissions for our L2 BASE network and related assets. This section outlines new items in-scope, and areas of focus for our researchers.\n\n**August 28, 2023 Update**\nWe would like to clarify that our severity ratings and payouts at Coinbase do not rely on the CVSS (Common Vulnerability Scoring System) score, other companies' payouts, or even examples listed on our program page below. These items may be used as a guideline to approach a final decision. Instead, we utilize an internal scoring metric to assess and determine the severity of reported vulnerabilities and their respective payouts. The CVSS score serves as a guideline for researchers to submit their assessment of severity, based on their evaluation. However, it is important to note that Coinbase is not bound to payout solely based on the CVSS metrics, any other reports referenced on the HackerOne platform, or any examples listed on our program page. All payouts are subject to the discretion of our Coinbase security team, who carefully evaluate the reported vulnerabilities and their potential impact.\n\n**August 22, 2023 Update**\n\nWe are changing our internal tracking process for bugs. After a bug is paid out, even after it is triaged, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily the mean the bug has been remediate, but it instead means the ticket has been addressed and the final decision regarding the bug has been decided upon. If you have any questions about this, please reach out to us via HackerOne.\n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# BASE Network (Updated April 10, 2024)\n\nWith the launch of our Layer 2 blockchain Base, we're intensifying our focus on securing transactions within the cryptocurrency ecosystem. As leaders in this space, we prioritize stringent security protocols to safeguard user assets. To this end, we're expanding our scope to address critical vulnerabilities, specifically targeting **memory pool information leaks**. These vulnerabilities pose a significant threat, potentially affording unauthorized access to pending transaction data, thereby exposing sensitive information to MEV searchers. By mitigating these risks, we aim to enhance the resilience of our platform against exploitation, ensuring the confidentiality and integrity of all transactions. \n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism), so researches should also refer to  **Optimism's** bug bounty program which can be found [here](https://immunefi.com/bounty/optimism/), for any findings that stem from the core framework or protocol.\nOptimism is a project dedicated to scaling Ethereum's technology and expanding its ability to coordinate people from across the world to build effective decentralized economies and governance systems.\n\n# Web3 Components Severity Matrix\n\nThe following severity matrix serves as a guideline for assessing potential payouts for bugs related to our Web3 components. Please note that while this chart provides a general framework, actual payouts may vary. Factors such as the extent of exposure and risk involved are also considered in our final payout decisions.\n\n## Severity Levels and Examples\n\n| Severity          | Examples                                                                 |\n|:-------------------|:--------------------------------------------------------------------------|\n| **Critical**      | Exposures of Material Non-Public Information (MNPI), sustained business disruptions, significant monetary losses to Coinbase, or compromises affecting the broader Web3 ecosystem.  |\n| **High**          | Significant but not critical impacts, including considerable monetary losses or ecosystem compromises affecting a substantial user base. |\n| **Medium**        | Moderate monetary impacts to Coinbase or compromises within the Web3 ecosystem involving a moderate number of users.              |\n| **Low**           | Minor monetary impacts to Coinbase.                                      |\n\n### Additional Information\n\n- **Risk Rating System**: We use an internal risk rating system that includes specific metrics related to monetary impact. These metrics are confidential and are applied internally to determine the final payout.\n- **PII Leaks**: Personal Identifiable Information (PII) leaks are evaluated through our internal scoring system, which categorizes the severity based on the specifics of the leaked information and the associated risk.\n\nThis matrix is part of our ongoing effort to ensure transparency and fairness in our bug bounty program while protecting the integrity of our systems and the privacy of our users.\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers\n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process. https://www.hackerone.com/disclosure-guidelines\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nA report must also follow all the rules of HackerOne's Code of  Conduct found here: https://www.hackerone.com/policies/code-of-conduct along with all rules found on our Coinbase HackerOne page.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-16T16:18:10.538Z"},{"id":3723320,"new_policy":"#IMPORTANT UPDATE: \n\n**April 10, 2024 Update**\nWe have added a new section below regarding all submissions for our L2 BASE network and related assets. This section outlines new items in-scope, and areas of focus for our researchers.\n\n**August 28, 2023 Update**\nWe would like to clarify that our severity ratings and payouts at Coinbase do not rely on the CVSS (Common Vulnerability Scoring System) score, other companies' payouts, or even examples listed on our program page below. These items may be used as a guideline to approach a final decision. Instead, we utilize an internal scoring metric to assess and determine the severity of reported vulnerabilities and their respective payouts. The CVSS score serves as a guideline for researchers to submit their assessment of severity, based on their evaluation. However, it is important to note that Coinbase is not bound to payout solely based on the CVSS metrics, any other reports referenced on the HackerOne platform, or any examples listed on our program page. All payouts are subject to the discretion of our Coinbase security team, who carefully evaluate the reported vulnerabilities and their potential impact.\n\n**August 22, 2023 Update**\n\nWe are changing our internal tracking process for bugs. After a bug is paid out, even after it is triaged, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily the mean the bug has been remediate, but it instead means the ticket has been addressed and the final decision regarding the bug has been decided upon. If you have any questions about this, please reach out to us via HackerOne.\n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# BASE Network (Updated April 10, 2024)\n\nWith the launch of our Layer 2 blockchain Base, we're intensifying our focus on securing transactions within the cryptocurrency ecosystem. As leaders in this space, we prioritize stringent security protocols to safeguard user assets. To this end, we're expanding our scope to address critical vulnerabilities, specifically targeting **memory pool information leaks**. These vulnerabilities pose a significant threat, potentially affording unauthorized access to pending transaction data, thereby exposing sensitive information to MEV searchers. By mitigating these risks, we aim to enhance the resilience of our platform against exploitation, ensuring the confidentiality and integrity of all transactions. \n\nBase is built on the [OP Stack framework](https://github.com/ethereum-optimism/optimism), so researches should also refer to  **Optimism's** bug bounty program which can be found [here](https://immunefi.com/bounty/optimism/), for any findings that stem from the core framework or protocol.\nOptimism is a project dedicated to scaling Ethereum's technology and expanding its ability to coordinate people from across the world to build effective decentralized economies and governance systems.\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers\n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process. https://www.hackerone.com/disclosure-guidelines\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nA report must also follow all the rules of HackerOne's Code of  Conduct found here: https://www.hackerone.com/policies/code-of-conduct along with all rules found on our Coinbase HackerOne page.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-11T17:33:55.639Z"},{"id":3723306,"new_policy":"#IMPORTANT UPDATE: \n\n**April 10, 2024 Update**\nWe have added a new section below regarding all submissions for our L2 BASE network and related assets. This section outlines new items in-scope, and areas of focus for our researchers.\n\n**August 28, 2023 Update**\nWe would like to clarify that our severity ratings and payouts at Coinbase do not rely on the CVSS (Common Vulnerability Scoring System) score, other companies' payouts, or even examples listed on our program page below. These items may be used as a guideline to approach a final decision. Instead, we utilize an internal scoring metric to assess and determine the severity of reported vulnerabilities and their respective payouts. The CVSS score serves as a guideline for researchers to submit their assessment of severity, based on their evaluation. However, it is important to note that Coinbase is not bound to payout solely based on the CVSS metrics, any other reports referenced on the HackerOne platform, or any examples listed on our program page. All payouts are subject to the discretion of our Coinbase security team, who carefully evaluate the reported vulnerabilities and their potential impact.\n\n**August 22, 2023 Update**\n\nWe are changing our internal tracking process for bugs. After a bug is paid out, even after it is triaged, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily the mean the bug has been remediate, but it instead means the ticket has been addressed and the final decision regarding the bug has been decided upon. If you have any questions about this, please reach out to us via HackerOne.\n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# BASE Network (Updated April 10, 2024)\n\nWith the launch of our Layer 2 blockchain Base, we're intensifying our focus on securing transactions within the cryptocurrency ecosystem. As leaders in this space, we prioritize stringent security protocols to safeguard user assets. To this end, we're expanding our scope to address critical vulnerabilities, specifically targeting **memory pool information leaks**. These vulnerabilities pose a significant threat, potentially affording unauthorized access to pending transaction data, thereby exposing sensitive information to MEV searchers. By mitigating these risks, we aim to enhance the resilience of our platform against exploitation, ensuring the confidentiality and integrity of all transactions. \n\nBase is built on the [OP Stack framework] (https://github.com/ethereum-optimism/optimism), so researches should also refer to  **Optimism's** bug bounty program which can be found [here](https://immunefi.com/bounty/optimism/), for any findings that stem from the core framework or protocol.\nOptimism is a project dedicated to scaling Ethereum's technology and expanding its ability to coordinate people from across the world to build effective decentralized economies and governance systems.\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers\n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process. https://www.hackerone.com/disclosure-guidelines\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nA report must also follow all the rules of HackerOne's Code of  Conduct found here: https://www.hackerone.com/policies/code-of-conduct along with all rules found on our Coinbase HackerOne page.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-11T16:18:54.228Z"},{"id":3723249,"new_policy":"#IMPORTANT UPDATE: \n\n**April 10, 2024 Update**\nWe have added a new section below regarding all submissions for our L2 BASE network and related assets. This section outlines new items in-scope, and areas of focus for our researchers.\n\n**August 28, 2023 Update**\nWe would like to clarify that our severity ratings and payouts at Coinbase do not rely on the CVSS (Common Vulnerability Scoring System) score, other companies' payouts, or even examples listed on our program page below. These items may be used as a guideline to approach a final decision. Instead, we utilize an internal scoring metric to assess and determine the severity of reported vulnerabilities and their respective payouts. The CVSS score serves as a guideline for researchers to submit their assessment of severity, based on their evaluation. However, it is important to note that Coinbase is not bound to payout solely based on the CVSS metrics, any other reports referenced on the HackerOne platform, or any examples listed on our program page. All payouts are subject to the discretion of our Coinbase security team, who carefully evaluate the reported vulnerabilities and their potential impact.\n\n**August 22, 2023 Update**\n\nWe are changing our internal tracking process for bugs. After a bug is paid out, even after it is triaged, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily the mean the bug has been remediate, but it instead means the ticket has been addressed and the final decision regarding the bug has been decided upon. If you have any questions about this, please reach out to us via HackerOne.\n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# BASE Network (Updated April 10, 2024)\n\nWith the introduction of our latest asset, BASE, we're intensifying our focus on securing transactions within the cryptocurrency ecosystem. As leaders in this space, we prioritize stringent security protocols to safeguard user assets. To this end, we're expanding our scope to address critical vulnerabilities, specifically targeting **memory pool information leaks**. These vulnerabilities pose a significant threat, potentially affording unauthorized access to pending transaction data, thereby exposing sensitive information to MEV searchers. By mitigating these risks, we aim to enhance the resilience of our platform against exploitation, ensuring the confidentiality and integrity of all transactions. \n\nWe would also like to point our researchers to **Optimism's** bug bounty program which can be found [here](https://immunefi.com/bounty/optimism/)\nOptimism is a project dedicated to scaling Ethereum's technology and expanding its ability to coordinate people from across the world to build effective decentralized economies and governance systems.\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers\n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process. https://www.hackerone.com/disclosure-guidelines\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nA report must also follow all the rules of HackerOne's Code of  Conduct found here: https://www.hackerone.com/policies/code-of-conduct along with all rules found on our Coinbase HackerOne page.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-10T19:03:42.905Z"},{"id":3706333,"new_policy":"#IMPORTANT UPDATE: \n\n**August 28, 2023 Update**\nWe would like to clarify that our severity ratings and payouts at Coinbase do not rely on the CVSS (Common Vulnerability Scoring System) score, other companies' payouts, or even examples listed on our program page below. These items may be used as a guideline to approach a final decision. Instead, we utilize an internal scoring metric to assess and determine the severity of reported vulnerabilities and their respective payouts. The CVSS score serves as a guideline for researchers to submit their assessment of severity, based on their evaluation. However, it is important to note that Coinbase is not bound to payout solely based on the CVSS metrics, any other reports referenced on the HackerOne platform, or any examples listed on our program page. All payouts are subject to the discretion of our Coinbase security team, who carefully evaluate the reported vulnerabilities and their potential impact.\n\n**August 22, 2023 Update**\n\nWe are changing our internal tracking process for bugs. After a bug is paid out, even after it is triaged, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily the mean the bug has been remediate, but it instead means the ticket has been addressed and the final decision regarding the bug has been decided upon. If you have any questions about this, please reach out to us via HackerOne.\n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers\n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process. https://www.hackerone.com/disclosure-guidelines\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nA report must also follow all the rules of HackerOne's Code of  Conduct found here: https://www.hackerone.com/policies/code-of-conduct along with all rules found on our Coinbase HackerOne page.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-01T18:24:50.304Z"},{"id":3700550,"new_policy":"#IMPORTANT UPDATE: \n\n**August 28, 2023 Update**\nWe would like to clarify that our severity ratings and payouts at Coinbase do not rely on the CVSS (Common Vulnerability Scoring System) score, other companies' payouts, or even examples listed on our program page below. These items may be used as a guideline to approach a final decision. Instead, we utilize an internal scoring metric to assess and determine the severity of reported vulnerabilities and their respective payouts. The CVSS score serves as a guideline for researchers to submit their assessment of severity, based on their evaluation. However, it is important to note that Coinbase is not bound to payout solely based on the CVSS metrics, any other reports referenced on the HackerOne platform, or any examples listed on our program page. All payouts are subject to the discretion of our Coinbase security team, who carefully evaluate the reported vulnerabilities and their potential impact.\n\n**August 22, 2023 Update**\n\nWe are changing our internal tracking process for bugs. After a bug is paid out, even after it is triaged, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily the mean the bug has been remediate, but it instead means the ticket has been addressed and the final decision regarding the bug has been decided upon. If you have any questions about this, please reach out to us via HackerOne.\n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers\n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process. https://www.hackerone.com/disclosure-guidelines\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-28T20:07:09.477Z"},{"id":3700228,"new_policy":"#IMPORTANT UPDATE: \n\n**August 22, 2023 Update**\n\nWe are changing our internal tracking process for bugs. After a bug is paid out, even after it is triaged, it will automatically be moved into a \"closed\" state on HackerOne. This does not necessarily the mean the bug has been remediate, but it instead means the ticket has been addressed and the final decision regarding the bug has been decided upon. If you have any questions about this, please reach out to us via HackerOne.\n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers\n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process. https://www.hackerone.com/disclosure-guidelines\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-22T12:59:35.157Z"},{"id":3688485,"new_policy":"#IMPORTANT UPDATE: \n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers\n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process. https://www.hackerone.com/disclosure-guidelines\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Username enumeration\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-01T20:27:57.048Z"},{"id":3686259,"new_policy":"#IMPORTANT UPDATE: \n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase adheres to and supports the HackerOne Gold Standard Safe Harbor terms, included herein. We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers\n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party and requesting permission to publish pursuant to the HackerOne Disclosure Process. https://www.hackerone.com/disclosure-guidelines\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-17T22:34:36.422Z"},{"id":3684535,"new_policy":"#IMPORTANT UPDATE: \n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys. | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-10T04:21:30.762Z"},{"id":3683929,"new_policy":"#IMPORTANT UPDATE: \n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n\n| Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as: Unauthorized access to Coinbase owned hot/cold wallet assets,funds, and/or wallet private keys.\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-21T22:05:16.745Z"},{"id":3683921,"new_policy":"#IMPORTANT UPDATE: \n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as access to certain Coinbase assets/funds, and private keys relating to cold/hot wallets owned by Coinbase | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as access to certain Coinbase assets/funds, and private keys relating to cold/hot wallets owned by Coinbase \n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-21T21:32:48.444Z"},{"id":3683920,"new_policy":"#IMPORTANT UPDATE: \n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as access to certain Coinbase assets/funds, and private keys relating to cold/hot wallets owned by Coinbase | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as access to certain Coinbase owned assets/funds, and private keys\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-21T21:32:08.322Z"},{"id":3683212,"new_policy":"#IMPORTANT UPDATE: \n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as access to certain Coinbase assets/funds, and private keys owned by Coinbase | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as access to certain Coinbase owned assets/funds, and private keys\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-09T00:48:06.038Z"},{"id":3683211,"new_policy":"#IMPORTANT UPDATE: \n\n**February 8, 2023 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap of $1 Million has been implemented. Details of these updates can be found below:\n\n| New Vulnerability Tier(s) | Description | Reward |\n|:------------- | :-----| :-------|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as access to Coinbase assets/funds, and private keys owned by Coinbase | Up-to $1,000,000 |\n\nSeveral internal metrics will be used to calculate the validity of an \"extreme tier\" bug. Careful time and consideration is put into these bug bounty awards. This table entry has been added below in the main program policy.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Extreme | Vulnerabilities that affect critical assets that could cause serious business disruption such as access to assets/funds, and private keys owned by Coinbase\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Extreme  | $1,000,000 |\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-08T20:26:16.626Z"},{"id":3681477,"new_policy":"#IMPORTANT UPDATE: \n\n**December 21, 2022 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap has been implemented. Details of these updates can be found below.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to [HackerOne’s Finder Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-21T19:54:52.527Z"},{"id":3681476,"new_policy":"#IMPORTANT UPDATE: \n\n**December 21, 2022 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap has been implemented. Details of these updates can be found below.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to HackerOne’s Finder [Terms and Conditions.](https://www.hackerone.com/terms/finder)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-21T19:54:20.643Z"},{"id":3681475,"new_policy":"#IMPORTANT UPDATE: \n\n**December 21, 2022 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap has been implemented. Details of these updates can be found below.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\nResearchers that engage in extortion attempts will be banned from the Coinbase Bug Bounty program and reported to law enforcement.\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to HackerOne’s Finder Terms and Conditions.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-21T19:51:37.895Z"},{"id":3681473,"new_policy":"#IMPORTANT UPDATE: \n\n**December 21, 2022 Update**\n\nWe have updated our payout structure and criteria for earning higher bug bounty payouts. A new payout cap has been implemented. Details of these updates can be found below.\n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\n**Updated Dec 21, 2022**\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  The cap for bounty payouts is $1,000,000.  Different metrics on severity and impact will be used internally to determine larger bug bounty payouts. \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\nResearchers should not attempt to transfer any funds.  If a proof of concept requires such an attempt, the researcher must first contact Coinbase and seek approval.  A researcher that attempts to transfer funds not owned by the researcher without prior approval is ineligible for bounty payments.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n# Eligibility\nTo participate in the Bug Bounty Program you must:\n\n* Not be a resident of any country under U.S. sanctions or any country that does not allow participation in these types of programs\n* Be at least 14 years old and have legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Have permission from your employer to participate\n* Not be (for the previous 12 months) a Coinbase employee, immediate family member of a Coinbase employee, Coinbase contractor, or Coinbase service provider.\n\nAll submissions for bounties to Coinbase must be through HackerOne.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.  Anonymous reports are acceptable through HackerOne but are not eligible for bounty awards.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program. Please also refer to HackerOne’s Finder Terms and Conditions.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-21T19:45:35.945Z"},{"id":3679033,"new_policy":"#IMPORTANT UPDATE: \n\n**Updated on October 25, 2022**\n\nWe have added some new changes to the bug bounty program. We are including new categories that are eligible for bug bounty rewards to our program. We have also added specific examples of what severity ratings different bugs will constitute. The new updated table with severity ratings can be found below.\n\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n# New Categories\n\n**Updated on October 25, 2022**\n\n* **Fraud Loss** - A loss of funds or revenue that can be attributed to insider trading, control/chargeback bypass or rate limit abuse. \n* **Staking Loss** -  Issues impacting staking rewards that can be attributed to abuse and/or misconfigurations. \n* **MNPI exposure** - Issues that provide unfair market advantages to stakeholders trading or holding securities. \n* **Third Party integrations** - Issues that may impact our corporate environment, brand or disrupt a critical service.\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.\n\nThis table was last updated **Oct 25, 2022**\n\n| Vulnerability Tier | Reward |\n|:------------- | :-----|\n| Critical | Vulnerabilities that could influence market swings via Coinbase Api or Services (positive or negative), Remote Code Execution on staking nodes, Abuse of staking rewards over 10M, Proof of insider trading, Large scale money laundering, 2FA bypass for institutional trading accounts\n| High | Bypassing Coinbase fee structures that impact the majority of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of sensitive customer PII being leaked, A flaw in the system that allows users from a given region to bypass KYC restrictions, 2FA bypass that impacts one Coinbase product|\n| Medium |  Bypassing fee structures that impact a small to moderate number of Coinbase users, A flaw in the system that leads to a small-moderate (Less than 15% of Coinbase users) number of customers’ semi-sensitive information being leaked, A flaw in the system that prevents over 1000 users from purchasing/trading crypto currency on Coinbase infrastructure |\n| Low | Financial loss of less than $100,000 for any Coinbase owned system, Default security misconfiguration or best practices, that should be implemented but do not directly result in an exploit or significantly decrease the security of the application or service, Localized exploitation within a constrained environment and/or parameters, Exploit exposure to a smaller subset of non-critical systems and/or data |\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-10-25T23:40:37.946Z"},{"id":3663055,"new_policy":"#IMPORTANT UPDATE: \nDue to the recent Log4j Vulnerability, we are offering a $30,000 bonus if any researcher can demonstrate that we are vulnerable to this issue. This bonus bounty offering begins this day of Dec 15, 2021. \n\nNote: Please provide supporting evidence screenshots, payloads, endpoints etc. in order to avoid delays in triage.\n\n# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-15T17:50:29.738Z"},{"id":3663054,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\nIMPORTANT UPDATE: \nDue to the recent Log4j Vulnerability, we are offering a $30,000 bonus if any researcher can demonstrate that we are vulnerable to this issue. This bonus bounty offering begins this day of Dec 15, 2021. \n\nNote: Please provide supporting evidence screenshots, payloads, endpoints etc. in order to avoid delays in triage.\n\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-15T17:46:57.515Z"},{"id":3663053,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\nIMPORTANT UPDATE: \nDue to the recent Log4j Vulnerability, we are offering a $30,000 bonus if any researcher can demonstrate that we are vulnerable to this issue. This bonus bounty offering begins this day of Dec 15, 2021. \nNote: Please provide supporting evidence screenshots, payloads, endpoints etc. in order to avoid delays in triage.\n\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-15T17:45:38.921Z"},{"id":3663052,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\nUPDATE: \nDue to the recent Log4j Vulnerability, we are offering a $30,000 bonus if any researcher can demonstrate that we are vulnerable to this issue. This bonus bounty offering begins this day of Dec 15, 2021. \nNote: Please provide supporting evidence screenshots, payloads, endpoints etc. in order to avoid delays in triage.\n\nCoinbase Security\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-15T17:45:10.771Z"},{"id":3652006,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure.  Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-06T17:15:43.634Z"},{"id":3648368,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-02-03T17:49:44.183Z"},{"id":3646646,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the rate limiting submission. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n*Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-09T16:41:10.699Z"},{"id":3646645,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.) Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a critical impact to the environment is demonstrated\n\nPlease see the following guidance on rate limiting submissions:\n1. A clear bypass that demonstrates access to user data or funds will not be considered unless an actual user of the Coinbase platform and not a test account can be accessed.\n2. A researcher should be aware that rate limiting exists and has been evaluated by security internally and by other security researchers via the HackerOne Platform\n3. A researcher should take into consideration compensating controls when rating the criticality of the bug. Note: Do not assume there are no security controls in place\n\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n*Rate Limiting (Non-critical issues) \n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-09T16:40:38.532Z"},{"id":3646345,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a clear bypass of the limit  is demonstrated. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.)\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services) ONLY Critical or service Impacting bugs will be accepted. \n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-01T19:26:07.096Z"},{"id":3645003,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a clear bypass of the limit  is demonstrated. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.)\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n* *.tagomi.com (All assets on tagomi.com and subdomains, except third-party services)\n\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-12T15:40:16.151Z"},{"id":3642746,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a clear bypass of the limit  is demonstrated. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.)\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-23T13:52:37.978Z"},{"id":3642528,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a clear bypass of the limit  is demonstrated. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.)\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Report Closure\nCoinbase reviews all findings that are reported via our Bug Bounty Program.  Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Coinbase will request additional information from the reporter.  After all information is aggregated; the report submission goes through an internal review and scoring process.  After the internal review process is complete, any bugs that are not reproducible or invalid will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports.  Failure to provide a detailed report will result in delayed triage and/or ticket closure. \n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-17T15:33:52.225Z"},{"id":3640894,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Lack of rate limiting in Coinbase products have been accepted as valid reports in the past, but will be not considered valid unless a clear bypass of the limit  is demonstrated. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.)\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-03T17:18:00.118Z"},{"id":3631631,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Lack of rate limiting in Coinbase products have been accepted as valid reports in the past. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.)\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\nCertain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.\n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-26T17:38:55.066Z"},{"id":3622253,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Lack of rate limiting in Coinbase products have been accepted as valid reports in the past. Denial of Service issues that don't impact availability of funds or user data will not likely be accepted as a valid report.)\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\n\n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-25T19:02:56.098Z"},{"id":3603808,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of system.\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\n\n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-27T18:20:00.229Z"},{"id":3603805,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of system.\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\n\n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. Companies Coinbase has acquired are not in scope of the bug bounty program unless they are specifically added to the scope scope section and declared in scope. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-27T18:16:59.018Z"},{"id":3602859,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of system.\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\n\n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n\nPlease view the scope section for a more detailed list of in-scope and out-of-scope assets. \n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.1 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-02-15T19:08:01.795Z"},{"id":3583769,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our [support form] (https://support.coinbase.com/customer/portal/emails/new)**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of system.\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\n\n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n\nThe following subdomains host services provided by third parties, and therefore are explicitly out of program scope.  \n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* engineering.coinbase.com\n* developers.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* beta.coinbase.com\n* support.gdax.com\n* blog.gdax.com\n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.0 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-26T16:28:42.809Z"},{"id":3583768,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and immediately contact support via our support form: https://support.coinbase.com/customer/portal/emails/new**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of system.\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\n\n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n\nThe following subdomains host services provided by third parties, and therefore are explicitly out of program scope.  \n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* engineering.coinbase.com\n* developers.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* beta.coinbase.com\n* support.gdax.com\n* blog.gdax.com\n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.0 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-26T16:27:30.393Z"},{"id":3583220,"new_policy":"# Introduction\n\nCoinbase recognizes the importance and value of security researchers’ efforts in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”)  described on this page.  \n\n**Note: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and contact trust@coinbase.com immediately.**\n\nThe Bug Bounty Program directly serves Coinbase's [mission](https://www.coinbase.com/mission) by helping us be the most trusted way to use digital currency.  In that spirit, the scope and philosophy of the program aim to safeguard two highest priority assets (“Sensitive Data”) :  \n* Digital and fiat currency balances\n* Customer information\n\nThe Bug Bounty Program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nA valid report is any in-scope report that clearly demonstrates a software vulnerability that harms Coinbase or Coinbase customers.  A report must be a valid, in scope report in order to qualify for a bounty. Coinbase will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.\n\n\n\n# Program Policies\n\nCoinbase pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations.  We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.\n\nIf legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy.  Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Coinbase cannot and does not authorize security research on other entities.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.  This report should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.\n\nWe believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities.  As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the [#legalbugbounty](https://twitter.com/search?q=legalbugbounty) [project](https://github.com/EdOverflow/legal-bug-bounty). \n\n### Researcher Requirements\n\nComplying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”.  Responsible Disclosure includes:\n\n1. Providing Coinbase a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.\n2. Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.\n3. Not defrauding Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.\n4. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Coinbase. \n5. Reporting vulnerabilities with no conditions, demands, or ransom threats.\n\nCoinbase considers Social Engineering attacks against Coinbase employees be a violation of Program Policies.  Researchers engaging in Social Engineering attacks against Coinbase employees will be banned from the Coinbase Bug Bounty program.  We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.\n\n\n\n# Report Evaluation\n\nIn order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers.  Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.\n\nA report must be a valid, in scope report in order to qualify for a bounty.  Coinbase awards bounties based on severity of the vulnerability.  We determine severity based on two factors: Impact and Exploitability.\n\nImpact describes the effects of successful exploitation upon Coinbase systems or customers.  We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information.  Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact.  For example:\n* Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.\n* Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of system.\n\nExploitability describes the difficulty of actively exploiting the vulnerability itself.  We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker's direct control such as social engineering requirements or timing requirements.  For example:   \n* Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.  \n* Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.\n\nSeverity is determined as a combination of Impact and Exploitability.  For example:\n* Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Coinbase or Coinbase customers.\n* Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.\n\nIn order to provide general guidelines to researchers regarding the payouts that can be expected for a given report, Coinbase uses the severity of a report to place the report into one of the following tiers.  \n\n| Vulnerability Tier | Reward |\n|:------------- | -----:|\n| Critical | $50,000 |\n| High | $15,000|\n| Medium |  $2,000 |\n| Low | $200 |\n|||\n\nThe payouts listed next to each tier are minimum bounties for the tier.  Bonuses in excess of the tier minimum can be awarded based on the severity of the vulnerability or creativity of the exploitation.  Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.  \n\nPrevious bounty amounts are not considered precedent for future bounty amounts.  Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.\n\n\n\n# Scope\n\nThe Coinbase Bug Bounty program scope covers all software vulnerabilities in services provided by Coinbase.  \n\nSpecific domains hosting Coinbase services are provided below:\n* *.coinbase.com  (All assets on coinbase.com and subdomains, excepting services provided by third parties)\n* *.cbhq.net (All assets on cbhq.net and subdomains, excepting services provided by third parties)\n* com.coinbase.android (Android: Play Store Coinbase app)\n* com.coinbase.ios (iOS: App Store Coinbase app)\n* 54.175.255.192/27 (All Coinbase provided services hosted on this block of IPs)\n\nThe following subdomains host services provided by third parties, and therefore are explicitly out of program scope.  \n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* engineering.coinbase.com\n* developers.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* beta.coinbase.com\n* support.gdax.com\n* blog.gdax.com\n\nAdditionally, all vulnerabilities that require or are related to the following are out of scope:\n* Social engineering\n* Physical security\n* Non-security-impacting UX issues\n* Deprecated Open Source libraries are not in scope.  If you would like to report a vulnerability for one of these libraries, please submit it on github via an issue or PR.  Note: we do accept vulnerability reports through HackerOne for our currently supported, actively maintained open source libraries.\n* Vulnerabilities or weaknesses in third party applications that integrate with Coinbase\n* Ability to abuse existing banking functionality such as ACH or credit card chargebacks\n\nIf you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.\n\n\n# Fine Print\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThe current Bug Bounty Program as described on this page is v4.0 of our Bug Bounty Program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-20T23:43:06.675Z"},{"id":3573028,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\nNote: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and contact support@coinbase.com immediately.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Social Engineering\n\nYou are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $50,000 |\n| Significant manipulation of account balance | $10,000|\n| XSS/CSRF/Clickjacking affecting sensitive actions [1] |  $7,500 |\n| Theft of privileged information [2] | $5,000 |\n| Partial authentication bypass | $3,000 |\n| Other XSS (excluding [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)) | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n| Other best practice or defense in depth | $100 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* Lack of password length restrictions\n* Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.\n* [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n* Text-only injection in error pages\n* Automatic hyperlink construction by 3rd party email providers\n* Using email mutations (+, ., etc) to create multiple accounts for a single email\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* engineering.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* support.gdax.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-04-04T22:11:57.710Z"},{"id":3561828,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\nNote: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and contact support@coinbase.com immediately.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Social Engineering\n\nYou are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $50,000 |\n| Significant manipulation of account balance | $10,000|\n| XSS/CSRF/Clickjacking affecting sensitive actions [1] |  $7,500 |\n| Theft of privileged information [2] | $5,000 |\n| Partial authentication bypass | $3,000 |\n| Other XSS (excluding [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)) | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n| Other best practice or defense in depth | $100 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* Lack of password length restrictions\n* Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.\n* [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n* Text-only injection in error pages\n* Automatic hyperlink construction by 3rd party email providers\n* Using email mutations (+, ., etc) to create multiple accounts for a single email\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* engineering.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* support.gdax.com\n* filetransfer.coinbase.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-10-18T16:38:52.790Z"},{"id":3558018,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\nNote: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and contact support@coinbase.com immediately.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Social Engineering\n\nYou are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $10,000 |\n| Significant manipulation of account balance | $5,000 |\n| XSS/CSRF/Clickjacking affecting sensitive actions [1] |  $5,000 |\n| Theft of privileged information [2] | $3,000 |\n| Partial authentication bypass | $1,000 |\n| Other XSS (excluding [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)) | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n| Other best practice or defense in depth | $100 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* Lack of password length restrictions\n* Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.\n* [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n* Text-only injection in error pages\n* Automatic hyperlink construction by 3rd party email providers\n* Using email mutations (+, ., etc) to create multiple accounts for a single email\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* engineering.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* support.gdax.com\n* filetransfer.coinbase.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-20T20:59:48.983Z"},{"id":3546057,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\nNote: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and contact support@coinbase.com immediately.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Social Engineering\n\nYou are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $10,000 |\n| Significant manipulation of account balance | $5,000 |\n| XSS/CSRF/Clickjacking affecting sensitive actions [1] |  $5,000 |\n| Theft of privileged information [2] | $3,000 |\n| Partial authentication bypass | $1,000 |\n| Other XSS (excluding [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)) | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n| Other best practice or defense in depth | $100 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* Lack of password length restrictions\n* Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.\n* [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n* Text-only injection in error pages\n* Automatic hyperlink construction by 3rd party email providers\n* Using email mutations (+, ., etc) to create multiple accounts for a single email\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* support.gdax.com\n* filetransfer.coinbase.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-02T19:01:36.661Z"},{"id":3545758,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\nNote: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and contact support@coinbase.com immediately.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Social Engineering\n\nYou are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $10,000 |\n| Significant manipulation of account balance | $5,000 |\n| XSS/CSRF/Clickjacking affecting sensitive actions [1] |  $5,000 |\n| Theft of privileged information [2] | $3,000 |\n| Partial authentication bypass | $1,000 |\n| Other XSS (excluding [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)) | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n| Other best practice or defense in depth | $100 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.\n* [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n* Text-only injection in error pages\n* Automatic hyperlink construction by 3rd party email providers\n* Using email mutations (+, ., etc) to create multiple accounts for a single email\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* support.gdax.com\n* filetransfer.coinbase.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-01-27T19:48:32.599Z"},{"id":3544137,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\nNote: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and contact support@coinbase.com immediately.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Social Engineering\n\nYou are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $10,000 |\n| Significant manipulation of account balance | $5,000 |\n| XSS/CSRF/Clickjacking affecting sensitive actions [1] |  $5,000 |\n| Theft of privileged information [2] | $3,000 |\n| Partial authentication bypass | $1,000 |\n| Other XSS (excluding [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)) | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n| Other best practice or defense in depth | $100 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.\n* [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n* Text-only injection in error pages\n* Automatic hyperlink construction by 3rd party email providers\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* support.gdax.com\n* filetransfer.coinbase.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-01-04T17:58:29.859Z"},{"id":3543894,"new_policy":"## Coinbase Bug Bounty Program\n\n*NOTE: During the holiday season, 23 December to 4 January, we will be slower when triaging and resolving bugs submitted.  Low severity bugs may not be triaged until after 4 January.*\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\nNote: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and contact support@coinbase.com immediately.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Social Engineering\n\nYou are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $10,000 |\n| Significant manipulation of account balance | $5,000 |\n| XSS/CSRF/Clickjacking affecting sensitive actions [1] |  $5,000 |\n| Theft of privileged information [2] | $3,000 |\n| Partial authentication bypass | $1,000 |\n| Other XSS (excluding [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)) | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n| Other best practice or defense in depth | $100 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.\n* [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n* Text-only injection in error pages\n* Automatic hyperlink construction by 3rd party email providers\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* support.gdax.com\n* filetransfer.coinbase.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-29T18:33:54.636Z"},{"id":3542764,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\nNote: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and contact support@coinbase.com immediately.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Social Engineering\n\nYou are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $10,000 |\n| Significant manipulation of account balance | $5,000 |\n| XSS/CSRF/Clickjacking affecting sensitive actions [1] |  $5,000 |\n| Theft of privileged information [2] | $3,000 |\n| Partial authentication bypass | $1,000 |\n| Other XSS (excluding [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)) | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n| Other best practice or defense in depth | $100 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.\n* [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n* Text only injection in error pages\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* support.gdax.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-05T20:16:05.724Z"},{"id":3541688,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\nNote: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and contact support@coinbase.com immediately.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Social Engineering\n\nYou are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $10,000 |\n| Significant manipulation of account balance | $5,000 |\n| XSS/CSRF/Clickjacking affecting sensitive actions [1] |  $5,000 |\n| Theft of privileged information [2] | $3,000 |\n| Partial authentication bypass | $1,000 |\n| Other XSS (excluding [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)) | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n| Other best practice or defense in depth | $100 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.\n* [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* support.gdax.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-11-13T17:07:38.122Z"},{"id":2817319,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\nNote: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and contact support@coinbase.com immediately.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Social Engineering\n\nYou are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $10,000 |\n| Significant manipulation of account balance | $5,000 |\n| XSS/CSRF/Clickjacking affecting sensitive actions [1] |  $5,000 |\n| Theft of privileged information [2] | $3,000 |\n| Partial authentication bypass | $1,000 |\n| Other XSS (excluding [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)) | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n| Other best practice or defense in depth | $100 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* support.gdax.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-05-24T18:02:21.019Z"},{"id":2724540,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\nNote: This program is for the disclosure of software security vulnerabilities only. If you believe your Coinbase account has been compromised, change your password and contact support@coinbase.com immediately.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Social Engineering\n\nYou are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $10,000 |\n| Significant manipulation of account balance | $5,000 |\n| XSS/CSRF/Clickjacking affecting sensitive actions [1] |  $5,000 |\n| Theft of privileged information [2] | $3,000 |\n| Partial authentication bypass | $1,000 |\n| Other XSS (excluding [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)) | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n| Other best practice or defense in depth | $100 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-05-06T14:34:51.817Z"},{"id":2103323,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Social Engineering\n\nYou are not allowed to conduct social engineering attacks against our support team. This will most likely result in your account being closed and no bounty will be awarded.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $10,000 |\n| Significant manipulation of account balance | $5,000 |\n| XSS/CSRF/Clickjacking affecting sensitive actions [1] |  $5,000 |\n| Theft of privileged information [2] | $3,000 |\n| Partial authentication bypass | $1,000 |\n| Other XSS (excluding [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)) | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n| Other best practice or defense in depth | $100 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-21T03:06:18.698Z"},{"id":1538656,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found.\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $10,000 |\n| Significant manipulation of account balance | $5,000 |\n| XSS/CSRF/Clickjacking affecting sensitive actions [1] |  $5,000 |\n| Theft of privileged information [2] | $3,000 |\n| Partial authentication bypass | $1,000 |\n| Other XSS (excluding [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)) | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n| Other best practice or defense in depth | $100 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* [Self-XSS](http://en.wikipedia.org/wiki/Self-XSS)\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-11T23:57:03.855Z"},{"id":1500153,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Rewards\n\nThe minimum payout is **$100 USD** and an entry in our [hall of fame](https://hackerone.com/coinbase/thanks) for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found. \n\nResearchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.\n\nWe use the following table as a guideline for determining reward amounts:\n\n| Vulnerability | Reward |\n|:------------- | -----:|\n| Remote Code Execution | $10,000 |\n| Significant manipulation of account balance | $5,000 |\n| XSS affecting sensitive actions [1] |  $5,000 |\n| CSRF affecting sensitive actions [1] | $5,000 |\n| Theft of privileged information [2] | $3,000 |\n| Partial authentication bypass | $1,000 |\n| Other XSS | $1,000 |\n| Other vulnerability with clear potential for financial or data loss | $1,000 |\n| Other CSRF (excluding logout CSRF) | $250 |\n|||\n\n[1] Sensitive actions include: depositing, trading, or sending money\n\n[2] Privileged information includes: passwords, API keys, bank account numbers, social security numbers or equivalent\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n* Vulnerabilities which involve privileged access to a victim's device(s)\n* Logout CSRF\n* User existence/enumeration vulnerabilities\n* Password complexity requirements\n* Reports from automated tools or scans (without accompanying demonstration of exploitability)\n* Social engineering attacks against Coinbase employees or contractors\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award.\n\nBy submitting a bug, you agree to be bound by the above rules.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-02T20:31:09.314Z"},{"id":1442414,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Rewards\n\nThe minimum payout is **$1,000 USD** (paid in bitcoin) for reporting a previously unknown security vulnerability of sufficient severity. There is no maximum reward, and we may award higher amounts based on severity or creativity of the vulnerability found.\n\nWe also provide attribution on this page as a thank you.\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n\nThe following domains are hosted by third parties, and are **not** currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase reserves the right to decide if the minimum severity threshold for a vulnerability is met, and whether or not it has been previously reported.\n\n### Thank you for helping keep the bitcoin community safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-05-11T01:29:03.274Z"},{"id":1442413,"new_policy":"## Coinbase Bug Bounty Program\n\nCoinbase recognizes the importance of security researchers in helping keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page.\n\n### Responsible Disclosure\n\nResponsible disclosure includes:\n\n1. Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.\n2. Making a good faith effort to not leak or destroy any Coinbase user data.\n3. Not defrauding Coinbase users or Coinbase itself in the process of discovery.\n\nIn order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.\n\n### Rewards\n\nThe minimum payout is **$1,000 USD** (paid in bitcoin) for reporting a previously unknown security vulnerability of sufficient severity. There is no maximum reward, and we may award higher amounts based on severity or creativity of the vulnerability found.\n\nWe also provide attribution on this page as a thank you.\n\n### Eligibility\n\nAll services provided by Coinbase are eligible for our bug bounty program, including the Coinbase Wallet, API, Merchant Tools, and Exchange.\n\nIn general, anything which has the potential for financial loss or data breach is of sufficient severity, including:\n\n* XSS\n* CSRF\n* Authentication bypass or privilege escalation\n* Click jacking\n* Remote code execution\n* Obtaining user information\n* Accounting errors\n\nIn general, the following would **not** meet the threshold for severity:\n\n* Denial of service\n* Spamming\n* Vulnerabilities in third party applications which make use of the Coinbase API\n\nThe following domains are hosted by third parties, and are not currently eligible for our bug bounty program (unless they lead to a vulnerability on the main website):\n\n* blockr.io\n* blog.coinbase.com\n* community.coinbase.com\n* status.coinbase.com\n* support.coinbase.com\n* Any other service not directly hosted or controlled by Coinbase.\n\nCoinbase reserves the right to decide if the minimum severity threshold for a vulnerability is met, and whether or not it has been previously reported.\n\n### Thank you for helping keep the bitcoin community safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-05-11T01:27:48.532Z"}]