{"id":518811,"date":"2022-12-01T00:30:00","date_gmt":"2022-11-30T21:30:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/coinbase-clarifies-bug-bounty-policy-in-response-to-uber-extortion-verdict\/"},"modified":"2022-12-01T00:30:00","modified_gmt":"2022-11-30T21:30:00","slug":"coinbase-clarifies-bug-bounty-policy-in-response-to-uber-extortion-verdict","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/coinbase-clarifies-bug-bounty-policy-in-response-to-uber-extortion-verdict\/","title":{"rendered":"# Coinbase clarifies bug bounty policy in response to Uber extortion verdict"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a30f31e6b9b8\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a30f31e6b9b8\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/coinbase-clarifies-bug-bounty-policy-in-response-to-uber-extortion-verdict\/#%E2%80%9D_Coinbase_clarifies_bug_bounty_policy_in_response_to_Uber_extortion_verdict_%E2%80%9C\" >&#8221; Coinbase clarifies bug bounty policy in response to Uber extortion verdict &#8220;<\/a><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9D_Coinbase_clarifies_bug_bounty_policy_in_response_to_Uber_extortion_verdict_%E2%80%9C\"><\/span>&#8221; Coinbase clarifies bug bounty policy in response to Uber extortion verdict &#8220;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p><img decoding=\"async\" src=\"https:\/\/images.cointelegraph.com\/images\/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjItMTEvZDVhOGQwNjAtZTQ5Mi00YWVmLWFlZGQtMjVlODZmZGFjNDdkLmpwZw==.jpg\" \/><\/p>\n<div class=\"post-content\" data-v-b8b12140>In a blog post on November 30, Coinbase sought to clarify its bug bounty program policies in response to the recent Uber data breach verdict.<\/p>\n<p>The company stated that it still welcomes \u201cresponsible\u201d disclosure of security issues, but users who abuse this process will not be awarded bug bounties:<\/p>\n<blockquote><p>\u201cThe key word in all of this is \u2018responsible\u2019. In the wake of the recent Uber verdict, there is a lot of concern in the industry about bug bounty submissions becoming extortion attempts. At Coinbase, [&#8230;] we\u2019ve put a lot of thought into how we operate our bug bounty program to stay on the right side of the law.\u201d<\/p><\/blockquote>\n<p><em>The official Coinbase bug bounty reporting page at HackerOne<\/em><\/p>\n<p>The verdict Coinbase was referring to was issued on October 5. Joe Sullivan, former Uber security chief, was found guilty of colluding with attackers to cover up evidence of a data breach, according to a report by the Washington Post. Sullivan had originally claimed that the attackers had submitted the breach as a bug bounty and that the company had paid them as a bug bounty reward.<\/p>\n<p>Tech companies often use bug bounties to encourage white hat hackers to find security vulnerabilities and report them. But the Sullivan verdict has raised the question of how far a bug bounty program can go in awarding prizes to hackers without running afoul of the law itself.<\/p>\n<p>In its post, Coinbase stated that it has encountered some bug bounty participants who claim to have committed criminal actions that would prevent the company from being able to legally make a payout.<\/p>\n<p>For example, a participant submitted multiple emails to the team saying that they had \u201c306 million users data fully dehashed\u201d and a \u201cbypass\u201d to skip the 48 hour waiting period on new devices. According to Coinbase, if this person had such information, it would mean that they accessed customer data beyond what could be considered \u201cgood faith\u201d or \u201caccidental.\u201d In such a case, Coinbase would not be able to pay the bounty.<\/p>\n<p>In this particular case, Coinbase said they believed that the participant was making a false claim. The participant did not provide any information that would allow the claim to be verified, so the team ignored the request for a bounty. But even if the person making the claim had been telling the truth, it would have been illegal to pay out the reward to them.<\/p>\n<p>Coinbase also emphasized that threats or other extortion attempts will not result in a bug bounty payout:<\/p>\n<blockquote><p>\u201cMost important of all \u2014 a bug bounty submission can never contain threats or any attempts at extortion. We are always open to paying bounties for legitimate findings. Ransom demands are an entirely different matter.\u201d<\/p><\/blockquote>\n<p>The practice of paying bug bounties is sometimes controversial. Critics say that it can encourage malicious behavior, while supporters say it often allows vulnerabilities to be discovered safely. On Oct. 19, an attacker drained the Moola Market DeFi <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a> of $9 million worth of cryptocurrency. But when the developer offered to let the attacker keep $500K as a bug bounty, the attacker returned the other $8.5 million. <\/p>\n<p>A similar attack occurred on the decentralized exchange, KyberSwap, in September. In this case, the attackers stole $265K, and the developers offered to let them keep 15% of the funds if they would return the rest. Suspects in the case were later identified, but the funds have not been returned, and the hackers appear to still be at large.<\/p>\n<p><template data-name=\"subscription_form\" data-type=\"crypto_biz\"><\/template><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/coinbase-clarifies-bug-bounty-policy-in-response-to-uber-extortion-verdict\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8221; Coinbase clarifies bug bounty policy in response to Uber extortion verdict &#8220; In a blog post on November 30, Coinbase sought to clarify its bug bounty program policies in response to the recent Uber data breach verdict. The company stated that it still welcomes \u201cresponsible\u201d disclosure of security issues, but users who abuse this&#8230;<\/p>\n","protected":false},"author":1,"featured_media":518812,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/images.cointelegraph.com\/images\/1200_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjItMTEvZDVhOGQwNjAtZTQ5Mi00YWVmLWFlZGQtMjVlODZmZGFjNDdkLmpwZw==.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74894,74956,117,70944,1450],"class_list":["post-518811","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-blockchain","tag-coinbase","tag-business","tag-hackers","tag-uber"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/518811","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=518811"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/518811\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/518812"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=518811"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=518811"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=518811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}