Founded in 2012, Coinbase focused on developing a solid security infrastructure, integrating security audits and penetration testing along the way. However, they wanted to take their security program to the next level — maximizing their effort, minimizing their time, and focusing on producing a quality product.
All they needed was the right solution.
We provided initial triage and assessment of incoming bug reports, passing on the most useful to Coinbase’s security team. We found the real threats and filtered out the fakes so Coinbase could focus on making improvements instead of validating findings.
A Bishop Fox Security Analyst
Coinbase adopted the HackerOne platform to access top security researchers, manage vulnerability reports, and pay bounties; they engaged Bishop Fox to help oversee and validate the inbound report queue.
HackerOne provides a vulnerability coordination platform and workflow for interacting with and rewarding researchers. Their unique service introduced Coinbase to over 2,000 hackers within the HackerOne network, who increased the number of useful, valid vulnerabilities reported. Repeat reporters become an extension of the security team, often helping with remediation as they tried to hack the same issues after patches were released. HackerOne allowed Coinbase, Bishop Fox, and researchers to directly communicate and validate reports. HackerOne integration with common development issue trackers, such as JIRA and Phabricator, simplified Coinbase’s remediation process for valid reports.
The Bishop Fox team of security experts have been managing bounty programs since 2011, before bug bounty became an established security norm. With bug bounty hall of famers on their team, they provide big picture insight into common patterns of reported bugs and have experience from both sides of the hunt.
Bishop Fox applied their security expertise and experience to evaluate, flag, and prioritize the most important vulnerabilities to Coinbase. “We provided initial triage and assessment of incoming bug reports, passing on the most useful to Coinbase’s security team. We found the real threats and filtered out the fakes so Coinbase could focus on making improvements instead of validating findings,” said a Bishop Fox security analyst.
Bishop Fox’s curated lists of submissions increased the signal-to-noise ratio, reducing the amount of time that the Coinbase team had to spend on validation and remediation.