A user helped Coinbase solve a major vulnerability, but was banned for not much reward

An interesting post appeared on the /r/Bitcoin subreddit forum, where a user named "pxallin1122" said that he helped Coinbase solve a major financial vulnerability, and although he also received a small bug bounty, he was unhappy that Coinbase closed his account without giving a clear reason.

The original post is translated as follows:

I started using Coinbase as my "online bitcoin vault" in June 2015, and after about 4-5 months, I had increased my bitcoin holdings from $2,500 to $10,000. I was very curious about how their "vault" system worked, and I wanted to know how secure it was. After testing it for about a week, I found a very important vulnerability on the Coinbase website. In summary, this vulnerability allowed me to continue withdrawing BTC when my account balance was negative, which could lead to a large amount of bitcoin withdrawals that I actually did not have. Instead of exploiting this vulnerability, I decided to help Coinbase fix it, and showed them step by step how to reproduce the bug on hackerone . When Coinbase fixed the vulnerability, they gave me a $5,000 bonus, which I thought was unfair, I should have expected $25,000. Without my help in fixing the bug, they might have lost hundreds of thousands of dollars, and if the vulnerability was used by a certain number of people, their losses could even reach millions of dollars.

After I got my bounty, they "secretly" blocked my account, which I was deeply touched by, I had no idea what was going on, they just sent me an email telling me that my account was banned or locked. Then, I found that they also locked my Bitcoins, and I couldn't withdraw or use them. I sent them several emails, but received no clear response. After further investigation of their "Vault" product, I found that almost the same vulnerability as before still existed. After notifying Coinbase of this new vulnerability, they spent several months to fix the problem on hackerone, and then they completely banned my coinbase account without giving any relevant reasons, and then they contacted me again about hackerone, hoping that I could give further instructions, which they clearly knew I could not do because they had banned my account before asking questions. As time passed, Coinbase did not give a clear response, labeled this new vulnerability as "providing useful information", and did not give me any bounty. I tried to check this new vulnerability again through a new account, and found that they had already fixed it, and of course, did not give me a reward.

I didn't want to make this public, and I thought about settling it privately with Coinbase, but unfortunately, I didn't get the response I deserved, and I had no other choice but to share this with everyone.

prove:

The first one exploits the vulnerability on hackerone:

Proof of the first correct implementation of the vulnerability:

Proof that after Coinbase fixed the second vulnerability, they banned my account:

After they fixed the second vulnerability and banned me from accessing coinbase, the second vulnerability was marked as "providing useful information":

Note: I only use Coinbase to store my Bitcoins, I have never used Coinbase to buy or sell coins.

Update: Coinbase has emailed me to say they will review the information I reported about Hackerone.

Original text: https://www.reddit.com/r/Bitcoin/comments/3xksss/coinbase_bans_me_after_i_help_them_fix_major/
Author:pxallin1122
Compiled by: Satuoxi
Source (translation): Babbitt Information (http://www.8btc.com/coinbase_bans_me)