Coinbase responds to white hat bounty complaint

In today’s society hackers are often perceived as dark and sinister. They use their extensive computer skills to break into all sorts of systems, stealing personal data, money and even government secrets.

Alonzo Knowles is currently being held without bail for hacking into celebrities’ email accounts, stealing unreleased movies, TV scripts, and sex tapes, which he sold for a profit. He clearly demonstrates the dark side of hacking, a “black hat” hacker out for personal gain, at his victim’s expense.

There is, of course, another side to the hacking story. “White hat” describes those with good intent, a hacker who can use their skills to identify weaknesses in a computer system or network. As opposed to taking malicious advantage of exposed vulnerabilities, these hackers choose to present system administrators with their findings, so that fixes can be applied.

These computer security experts can make good money helping platforms secure data. Many companies hire them to find flaws, while others provide bug bounty programs for freelance work.

Jarrett Ridlinghafer coined the term in 1996, while working at Netscape, and an entire industry has now emerged. Bounties have been offered by Facebook, Yahoo!, Google, Reddit, and Square.

The bitcoin wallet and platform provider Coinbase, founded in 2012, also offers various bounties. However, it appears there has been some confusion around the process. “Over the past two years Coinbase has benefited greatly from running a public bug bounty program and we believe strongly in incentivizing the white-hat community to responsibly disclose vulnerabilities to us and our partners,” states a recent company blog.

The recent post from Coinbase was in response to a white hack hacker, going by the name pxallin1122, who applied his skills to finding vulnerabilities in the companies wallet service, and accused Coinbase of banning them.

“After using Coinbase as my ‘online btc vault’ for about 4-5 months keeping anywhere from $2500 worth of btc to $10,000. I got very interested on how their ‘Vault’ system works and how safe it is. After testing it out and experimenting with it for over a week i was able to find one of the most major exploits on the site.”
— –  pxallin1122

Pxallin1122 describes an investigation into the Vault system which began in June 2015. The fault allowed users to put an account into a negative balance, which pxallin1122 said, “resulted in me being able to cashout infinite Bitcoins even if i didn’t have them on my account.”

If this had been uncovered by someone with malicious intent, pxallin1122 claims, it could have resulted in 7 figure loss for Coinbase. The white hat expected upwards of US$25,000 for their discovery, and was disgruntled by Coinbase paying US$5000.

Considering the potential for losses in the millions, this may sound like a small amount. According to a study by Bugcrowd, a San Francisco-based cybersecurity firm, bug bounty hunters can expect to earn an average of US$200.81 per vulnerability submission. Finding unique and innovative flaws can see a white hat receiving US$10,000 for their work, as one such person(s) did last year.

The investigation by pxallin1122 continued, and reported there was a second “almost identical” exploit uncovered. At this time, the poster advised a “secret ban” had been placed on their Coinbase account. Bitcoin could be deposited, but not withdrawn.

It was stated that although Coinbase was informed, it took them months to reply. It was at this point that a full ban was reportedly placed on the user’s account, at which point pxallin1122 decided it was time to take the information to the public.

The reddit thread drew a lot of attention from the bitcoin community, and Coinbase Director Rob Witoff quickly responded added to the public discussion, seizing the opportunity to share additional inner workings of the programme.

“One of the challenges with a white-hat program is effectively managing the majority of submissions that do not result in a paid bounty. One recent public example highlighted some aspects of our security program that we’d like to reflect on.”
— – Rob Witoff, Director at Coinbase

In 2013, the team at Coinbase decided to run their bug bounty program through HackerOne, a platform designed to streamline vulnerability coordination by enlisting hackers to improve security.

The exchange reviews the results of its program every quarter, and revealed that since its initiation the company has paid out a total of US$103,801. 9 percent of the submissions were resolved by working with bug bounty hunters.

The second exploit discovery was labeled as “informative,” and no bounty was offered. According to Coinbase, although the attack was described, they were unable to replicate the balance manipulation.

“The researcher then explained that they only ‘half way completed the bug’ but could not finish the exploit due to a lack of funds. Our Security Team attempted to provide the user additional funds to execute the purported exploit but could not because of separate restrictions on this user’s account applied by our independent Compliance Team for unrelated reasons.”
— – Witoff

Witoff further states that Coinbase “has never, and will never ban a user for any responsible white-hat security testing of our public endpoints […] Banning a researcher for security submissions would be bad for both security and business and is counter to our mission.”

Witoff admits that communication could have been more timely. “From the first submission on October 20th to the final response on December 1st, 42 days passed including several without answering following requests for comment by the researcher. This was neither professional nor courteous to the researcher and we should have more promptly dispositioned the submission.”

The team at Coinbase advise that after reflection of the bounty programme in 2015, they plan to optimize their terms of the programme, their interactions with the team, and increase their engagement with participating researchers. “We believe that any organization that truly cares about security is clearly incentivized to run a healthy bug bounty program,” said Witoff.