Coinbase responds to white hat hacker account "blocking" incident

The impression that hackers give people is just one word: “black”. They use their sophisticated computer skills to break into various systems and steal personal information, money, and even government secrets.

However, not all hackers are "black". Some hackers who use their hacking skills to do good things are called "white hat hackers" (also called "white hats"), and they are somewhat similar to network security engineers. Most ordinary hackers are affiliated with security companies and make a living by testing the security of computer systems and receiving bonuses from the company.

The term "white hat" is said to have been coined by Jarrett Ridlinghafer in 1996 while working at Netscape, and it has become a profession today. Facebook, Yahoo!, Google, Reddit, and others have all offered such bounties.

Bitcoin wallet and platform provider Coinbase also offers various bonuses to "white hat" researchers who help it detect and fix system vulnerabilities.

However, there has been some confusion around this issue recently. A user named "pxallin1122" posted on Reddit that he helped Coinbase solve a major financial loophole, but only received a small bonus. What's worse, Coinbase closed his account without giving a clear reason. This post attracted a lot of attention and user comments on Reddit.

Coinbase's head of security, Rob Witoff, quickly joined the discussion of the incident and wrote an article to clarify the details of their "White Hat Bounty Program".

Witoff said in the article:

“Coinbase has benefited greatly from the white hat bounty program over the past two years, and we strongly encourage white hats to find vulnerabilities in our systems for us and our partners in a timely manner.”

He said:

One of the challenges of this program is that we need to effectively handle the large amount of submissions that are not useful and therefore not eligible for a bounty. This recent incident has made us want to shed some light on certain aspects of our white hat bounty program.

The Coinbase team launched this bounty program through the HackerOne platform in 2013. "Hackers" can join the HackerOne platform to help the company improve system security.

The platform reviews the program’s results every quarter and revealed that it has paid out a total of $103,801 in bounties since the program began. Nine percent of submissions were resolved in collaboration with bounty hunters.

Therefore, Witoff gave several reasons for this incident, especially the second vulnerability reported by the user, which was the same as the first one, but this time it posed a considerable challenge to Coinbase’s security team.

"Although the vulnerability was clearly described, neither our security team nor the engineering team was able to reproduce or verify it. Due to lack of information, we found that the researcher was actually unable to complete the fix for this vulnerability. Lack of information is common in all white hat cases. We regularly cooperate with researchers to provide clear test cases. This is where the misunderstanding occurred. The researcher said that due to lack of funds, they could not continue with the fix task. Our team tried to provide them with funds, but the user's account had been restricted."

As for why it is restricted? Witoff said:

“Restrictions are enforced by our compliance team for reasons that can be found in our User Agreement. Additionally, Coinbase has never and will never block any account for responsible white hat users. We have paid over $100,000 in bounties to white hat researchers since the program’s inception and intend to continue running the bounty program, so blocking accounts is not in our best interest.”

However, regarding the blocking of the user's account, Witoff said that this was the responsibility of the compliance team. Their security team was not responsible for this and the two were independent. However, Witoff also admitted that they did do something wrong, such as not communicating with the user in a timely manner and not responding to the user's request in a timely manner.

Compiled by: printemps
Source: Babbitt Information (http://www.8btc.com/coinbase-response)