An unidentified bug finder has just cashed out $30,000 after it was awarded to them by Coinbase, a U.S. based cryptocurrency exchange. The bounty hunter had discovered an error on the platform which could pose security threats. However, the exact nature of the bug has not been disclosed, according to a media report on February 16.
Bug Finder Uploads Report on Coinbase
Based on reports, Coinbase has paid $30,000 to a bug finder after they uploaded a report of the issue they had discovered to Coinbase’s vulnerability disclosure program. The money was later awarded by the exchange as part of its Bug Bounty Program. While the nature of the fault that was discovered has not been disclosed, it can be assumed that the level of threat was high due to the amount that was paid.
Nonetheless, the bug has been fixed even though the vulnerability report is inaccessible to users. Prior to this time, Coinbase had stated in its terms that bounties are awarded based on the severity of the vulnerability that was discovered. Thus, a bounty hunter can win either $200, $2,000, $15,000 and even as high as $50,000 for impacts rated as low, medium, high, and critical.
According to the Exchange:
In order to be deemed valid, a report must demonstrate a software vulnerability in a service provided by Coinbase that harms Coinbase or Coinbase customers….We determine severity based on two factors: impact and exploitability.
Critical Impact Specifications
In the same vein, specifications have been outlined before a reported flaw can be classified as critical. Here, an attacker must be able to take advantage of a loophole to either read or make modifications to sensitive data in the system. They must also be able to “execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.”
One more condition that has been outlined, is the ability of the hacker to exploit the system without finding significant roadblocks that may discourage them from their attempts. During the course of the week, three bounties have been awarded prizes by the cryptocurrency exchange, but they were rated as “low-impact attack vectors”.
Coinbase Gave Out $10,000 in 2018 for Discovered Bug
Further reports reveal that the US-based exchange in 2018 had awarded $10,000 to some researchers who discovered an error that could enable people to reward themselves with unlimited amounts of Ethereum. That aside, Block.one, an EOS developer also awarded about $80,000 in bug bounties in 2019.
It is worthy to note that by encouraging people to discover errors on platforms, it also helps to strengthen the exchanges’ security. Given the recent turn out of events on exchanges like Coincheck which was hacked in 2018 and Cryptopia which was hacked on January 14, 2019, the need for a bounty of this nature becomes needful.