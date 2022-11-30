Exchange
Blockchain and crypto asset exchange
Academy
Blockchain and crypto education
Link
Trading terminal solutions
Institutional & VIP Services
White-glove approach for tailored trading solutions
Learn & Earn
Earn free crypto through learning
Charity
Powering blockchain for good
Cloud
Enterprise exchange solutions
DEX
Fast and secure decentralized digital asset exchange
Labs
Incubator for top blockchain projects
Launchpad
Token Launch Platform
Research
Institutional-grade analysis and reports
Trust Wallet
Binance's official crypto wallet
Binance Gift Card
Customizable crypto gift card
Binance Live
new
Bringing blockchain broadcasts to you live
APIs
Unlimited opportunities with one Key
BABT
Verified user credentials for the Web3 era
Buy Crypto
Pay with
Markets
Trade
Binance Convert
The easiest way to trade
Spot
Trade crypto with advanced tools
Margin
Increase your profits with leverage
P2P
Bank transfer and 100+ options
Strategy Trading
Trading made easy, trade like a pro
Swap Farming
Swap to earn BNB
Fan Token
Upgrade your fan experience
Binance OTC
OTC liquidity and execution services
Derivatives
Binance Futures Overview
View our full range of crypto-derivative instruments
Responsible Trading
Learn how you could practice responsible trading with Binance Futures
USDⓈ-M Futures
Perpetual or Quarterly Contracts settled in USDT or BUSD
COIN-M Futures
Perpetual or Quarterly Contracts settled in Cryptocurrency
Options
Buy and Sell European-style Options.
Leveraged Tokens
Enjoy increased leverage without risk of liquidation
Leaderboard
New
Exclusive ranking for Binance traders, follow top traders' strategies
Battle
Battle to Win, Long vs Short
VIP Portal
VIP Exclusive, Tailor-made Institutional Grade Services
Earn
Binance Earn
One-stop Investment Solution
Launchpad
Token Launch Platform
Simple Earn
Earn daily rewards on your idle tokens
DeFi Staking
Easy Access to DeFi Opportunities
BNB Vault
Earn Multi-benefits with BNB
Dual Investment
Commit your crypto holdings and enjoy high returns
Liquidity Farming
Add liquidity and earn double
Auto-Invest
new
Accumulate crypto on autopilot
Binance Pool
Mine more rewards by connecting to the pool
ETH 2.0
One click staking, rewards paid daily
Finance
Binance Card
Convert and pay with crypto worldwide
Crypto Loans
Get an instant loan secured by crypto assets
Binance Pay
Send and spend crypto at zero fees
Binance Gift Card
Customizable crypto gift card
NFT
Institutional
Institutional Home
Premium digital asset solutions for institutions
Link
Connect and grow with Binance liquidity solutions
Asset Management Solutions
Discover various asset management solutions
VIP Portal
One-stop station made for VIP and institutions
Custody
Secure digital assets with leading infrastructure
VIP Loan
Bespoke institutional loan with wide coverage
APIs
Unlimited opportunities with one key
Historical Market Data
Your all-in-one trading data repository
Execution & OTC Services
Execution & OTC Services
Feed
Downloads
English
USD
Flash news
copy link
create picture
more

Coinbase Foils Extortion Attempt, Reinforces Bug Bounty Program

Frederick Munawa - CoinDesk
2022-11-30 17:14
Coinbase (COIN), America’s largest cryptocurrency exchange by trading volume and the first crypto exchange to go public on a U.S. stock market, is raising awareness of its bug bounty program after a recent extortion attempt.
A malicious actor emailed both Coinbase and CoinDesk earlier this month, claiming to have “dehashed” and “decrypted” sensitive data from 306 million Coinbase user accounts (Coinbase says it’s not mathematically possible to “dehash” or “decrypt” data). The individual threatened to go public if Coinbase didn’t shell out $450,000.
Coinbase’s security team contacted the extortionist and later confirmed claims of a breach were unfounded. (Coinbase confirmed it typically collaborates with law enforcement in such cases but did not elaborate on whether charges might be laid.)
“This is an absolutely baseless extortion attempt. The individual is falsifying information to come across as legitimate and they're just trying to extort money out of companies. I'm sure we're not the first company on their list or the only scam they have running,” Jeff Lunglhofer, chief information security officer at Coinbase, told CoinDesk in an interview.
Indeed, last month, Uber’s former chief security officer, Joe Sullivan, was convicted of two felonies for allegedly covering up a $100,000 extortion payment to hackers after a 2016 breach of the ridesharing firm’s database.
Both the Uber scandal and the recent email incident prompted Lunglhofer to reiterate the importance of a robust bug bounty program in a new Coinbase blog post. A bug bounty is a reward that companies pay to individuals or outside security teams who discover and alert them to vulnerabilities in their systems.
“In the wake of the recent Uber verdict, there is a lot of concern in the industry about bug bounty submissions becoming extortion attempts,” Lunglhofer wrote. “We thought we would share some of the best practices for responsible disclosure, illustrated by a recent (fraudulent) extortion attempt we received.”

You’ve spotted a bug. Now what?

If an individual discovers a vulnerability on any of Coinbase’s platforms, Lunglhofer emphasizes providing a detailed and accurate description of the alleged bug.
“We can’t evaluate a submission that lacks sufficient detail,” he states.
The details Lunglhofer typically looks for are things like access paths to sensitive information or to actual crypto assets, as well as an indication of potential damage from the vulnerability.
Once an individual collects all pertinent details, the second step is ensuring Coinbase has sufficient time to patch the bug before disclosing its existence to anyone else.
“A responsible security researcher will always provide a reasonable amount of time for us to respond to and fix a security issue before disclosing the details to any other party,” says Lunglhofer.
Finally, Lunglhofer stresses the importance of remaining lawful. Attempting to extort or blackmail a company for $450,000 is blatantly criminal.
“A bug bounty submission can never contain threats or any attempts at extortion. We are always open to paying bounties for legitimate findings,” says Lunglhofer. “Ransom demands are an entirely different matter.”
Coinbase’s bug bounty program marked its 10-year anniversary last month. The program has found and fixed over 600 bugs and paid out more than $400,000 in bounties this year alone. The largest bounty from the program, a cool $250,000, was paid this past February to an independent researcher who discovered a vulnerability in Coinbase’s trading interface.
View full text