Coinbase
The largest US-based cryptocurrency exchange, providing trading, custody, staking, and institutional services for digital assets.
https://coinbase.comMax Reward
$250,000
Total Paid
$6,700,000
Resolved
478
Avg Response
2 days
In-Scope Assets
coinbase.com
Exchange platform, trading interface, and wallet
Coinbase Pro API
Advanced trading APIs and WebSocket feeds
Coinbase Wallet
Self-custody wallet and dApp browser
Base L2 Chain
Base network bridge, explorer, and smart contracts
Out of Scope
- ✕ Third-party dApps on Base
- ✕ Social media accounts
- ✕ Physical office security
Severity Levels & Rewards
RCE, authentication bypass, privilege escalation, fund extraction
Stored XSS, CSRF with impact, API abuse, data manipulation
Reflected XSS, data leakage, logic flaws, information disclosure
Verbose errors, minor config issues, low-impact info disclosure
Active Bounties (3)
| ID | Title | Severity | Status | Reward | Submissions |
|---|---|---|---|---|---|
| CB-001 | Double-spend via race condition in withdrawal API | Critical | Open | $50,000–$250,000 | 0 |
| CB-002 | IDOR in user portfolio API leaking balances | High | In Review | $10,000–$30,000 | 1 |
| CB-003 | XSS via crafted token name on Base explorer | Medium | Open | $2,000–$5,000 | 2 |
Rules of Engagement
• Do not access, modify, or delete data belonging to other users.
• Do not perform denial-of-service attacks or automated scanning at high volume.
• Report vulnerabilities promptly and provide sufficient detail to reproduce.
• Allow reasonable time for fix before public disclosure (90 days).
• Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.