Bitcoin exchange Coinbase has posted a comprehensive response to the recent bounty controversy. Yesterday, we first reported that the bitcoin exchange had surprisingly banned a user who helped them fix a vault bug that saved the San Francisco-based company from potential losses of millions of dollars.
Rob Witoff of Coinbase discussed the Company’s bug bounty program, which calls for a minimum of $100 reward for bringing coding bugs and possible exploits to notice. There is no higher end to the rewards as of yet, but identifying and demonstrating how Remote Code Execution vulnerability can be exploited leads the pack with a bounty of $10,000. The bitcoin exchange revealed that it has paid a total of $103,801 in bounties since beginning the program in 2013, and is even looking forward to expanding this program.
Coming to the recent case, Coinbase accepted that a user did report a possible balance manipulation which could leave the wallet with a negative balance. The Company affirms that the security controls employed would have averted a possible loss of funds. But since this was a valid vulnerability, they awarded the researcher a bounty of $5,000 within 24 hours of the original HackerOne submission.
Regarding the banning of researcher’s account, the Company clarified that it has never banned any user for a responsible white-hat testing of its platform. The statement directly contradicts the claims of the user who even posted a snapshot of the e-mail saying that his account has been blocked as he violated one or more Terms of Use. Here is the snapshot once again:
The case has brought bad press to the bitcoin company, and to limit the number of such events, the company will publicize a minimum of 30% of all the valid submissions in 2016. It will also optimize terms of the program and will engage with the external researchers more responsibly.