Coinbase Bug Bounty
Coinbase Bounty is worth up to $50,000 for a single disclosure of software security weakness. Participate in the Bounty campaigns to get rewards. There are different categories of bug reports with different payment amount. In an AirdropAlert article, it is reported that Coinbase Bug Bounty recently paid out $30,000 for a single critical bug report!
Coinbase, founded in June of 2012, is a digital currency wallet and platform where merchants and consumers can transact new digital currencies like bitcoin, ethereum, and litecoin with fiat currencies. They encourage responsible disclosure of security weakness via Coinbase Bug Bounty Program.
Would you like to receive free Bounty Alerts? Join our BountiesAlert Telegram!How to join the Coinbase Bug Bounty Bounty?
Coinbase Bounty Campaigns
In the Coinbase Bounty, Coinbase judges the value of your report to categorize the Tier and thus your reward in the following way:
Vulnerability Tier and Reward
- Critical: $50,000
- High: $15,000
- Medium: $2,000
- Low: $200
The Coinbase Bug Bounty program rewards users when they find and report a bug in the domains listed below. Note that some domains are not covered in this program.
- Domain: *.cbhq.net (critical)
- Domain: commerce.coinbase.com (critical)
- Domain: coinbase.com (critical)
- Domain: paradex.io (critical)
- Domain: prime.coinbase.com (critical)
- Domain: custody.coinbase.com (critical)
- Domain: pro.coinbase.com (critical)
- Android: Play Store: org.toshi (critical)
- Android: Play Store: com.coinbase.android (critical)
- iOS: App Store: com.coinbase.ios (critical)
- iOS: App Store: org.toshi.distribution (critical)
- CIDR : 220.127.116.11/27 (critical)
- other (medium)
Not paid domains:
- Domain: blog.coinbase.com
- Domain: engineering.coinbase.com
- Domain: developers.coinbase.com
- Domain: status.coinbase.com
- Domain: https://support.pro.coinbase.com/
- Domain: institutional.coinbase.com
- Domain: support.coinbase.com
The Bug Bounty Program policy requires researchers to obey“Responsible Disclosure", which includes:
- Providing Coinbase a reasonable amount of time to fix a weakness prior to sharing details of the weakness with any other party.
- Making a good faith effort to preserve the confidentiality and integrity of any Coinbase customer data.
- Not cheating Coinbase customers or Coinbase itself in the process of participating in the Bug Bounty Program.
- Not profiting from or allowing any other party to profit from a weakness outside of Bug Bounty Program payouts from Coinbase.
- Reporting weakness with no conditions, demands, or ransom threats.
More info, please visit the Coinbase Bug Bounty Program.