Coinbase clarifies bug bounty policy in response to Uber extortion verdict
The policy clarification stated that participants could not make threats, use extortion, or access customer data beyond beyond what is accidental or in good faith.
New
In a November 30 blog post, Coinbase sought to clarify the policies of its bug bounty program in response to Uber's recent data breach verdict.
The company said it always welcomes "responsible" disclosure of security issues, but users who abuse this process will not receive bug bounties:
"The key word in all of this is 'responsible'. Following Uber's recent verdict, there is deep industry concern that bug bounty submissions are turning into extortion attempts. At Coinbase , [...] we've put a lot of thought into how we run our bug bounty program to stay on the right side of the law."
The official bug bounty reporting page Coinbase on HackerOne The verdict Coinbase was referring to was delivered on October 5th. Former Uber security chief Joe Sullivan was found guilty of colluding with attackers to conceal evidence of a data breach, according to a Washington Post report. Sullivan originally claimed that the attackers submitted the breach as a bug bounty and the company paid them as a bug bounty reward.
Tech companies often use bug bounties to encourage white hat hackers to find and report security flaws. But Sullivan's verdict raised the question of how far a bug bounty program can go in awarding prizes to hackers without breaking the law itself.
In its article, Coinbase said it has encountered bug bounty participants who claim to have committed criminal actions that would prevent the company from being able to legally make a payment.
For example, one participant sent several emails to the team stating that they had "306 million fully decoded user data" and a "workaround" to avoid the waiting period of 48 hours on new devices. According to Coinbase, if that person had such information, it would mean that they accessed customer data beyond what could be considered "good faith" or "accidental." In such a case, Coinbase would not be able to pay the premium.
In this particular case, Coi...
The policy clarification stated that participants could not make threats, use extortion, or access customer data beyond beyond what is accidental or in good faith.
New
In a November 30 blog post, Coinbase sought to clarify the policies of its bug bounty program in response to Uber's recent data breach verdict.
The company said it always welcomes "responsible" disclosure of security issues, but users who abuse this process will not receive bug bounties:
"The key word in all of this is 'responsible'. Following Uber's recent verdict, there is deep industry concern that bug bounty submissions are turning into extortion attempts. At Coinbase , [...] we've put a lot of thought into how we run our bug bounty program to stay on the right side of the law."
The official bug bounty reporting page Coinbase on HackerOne The verdict Coinbase was referring to was delivered on October 5th. Former Uber security chief Joe Sullivan was found guilty of colluding with attackers to conceal evidence of a data breach, according to a Washington Post report. Sullivan originally claimed that the attackers submitted the breach as a bug bounty and the company paid them as a bug bounty reward.
Tech companies often use bug bounties to encourage white hat hackers to find and report security flaws. But Sullivan's verdict raised the question of how far a bug bounty program can go in awarding prizes to hackers without breaking the law itself.
In its article, Coinbase said it has encountered bug bounty participants who claim to have committed criminal actions that would prevent the company from being able to legally make a payment.
For example, one participant sent several emails to the team stating that they had "306 million fully decoded user data" and a "workaround" to avoid the waiting period of 48 hours on new devices. According to Coinbase, if that person had such information, it would mean that they accessed customer data beyond what could be considered "good faith" or "accidental." In such a case, Coinbase would not be able to pay the premium.
In this particular case, Coi...
What's Your Reaction?
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
