Coinbase clarifies bug bounty policy in response to Uber extortion verdict
The policy clarification stated that participants cannot make threats, use extortion, or access customer data beyond what is accidental or occurs in good faith. In a blog post on November 30, Coinbase sought to clarify its bug bounty program policies in response to the recent Uber data breach verdict. The company stated that it still welcomes “responsible” disclosure of security issues, but users who abuse this process will not be awarded bug bounties: “The key word in all of this is ‘responsible’. In the wake of the recent Uber verdict, there is a lot of concern in the industry about bug bounty submissions becoming extortion attempts. At Coinbase, [...] we’ve put a lot of thought into how we operate our bug bounty program to stay on the right side of the law.” The official Coinbase bug bounty reporting page at HackerOne The verdict Coinbase was referring to was issued on October 5. Joe Sullivan, former Uber security chief, was found guilty of colluding with attackers to cover up ev...