Founded in 2012, Coinbase focused on
developing a solid security infrastructure,
integrating security audits and penetration
testing along the way. However, they wanted
to take their security program to the next
level — maximizing their eﬀort, minimizing
their time, and focusing on producing a
All they needed was the right solution.
We provided initial triage and assessment of incoming bug reports, passing on the most useful to Coinbase’s security team. We found the real threats and filtered out the fakes so Coinbase could focus on making improvements instead of validating findings.
A Bishop Fox Security Analyst
Coinbase adopted the HackerOne platform to access top security researchers, manage vulnerability reports, and pay bounties; they engaged Bishop Fox to help oversee and validate the inbound report queue.
HackerOne provides a vulnerability coordination platform and workflow for interacting with and rewarding researchers. Their unique service introduced Coinbase to over 2,000 hackers within the HackerOne network, who increased the number of useful, valid vulnerabilities reported. Repeat reporters become an extension of the security team, often helping with remediation as they tried to hack the same issues after patches were released. HackerOne allowed Coinbase, Bishop Fox, and researchers to directly communicate and validate reports. HackerOne integration with common development issue trackers, such as JIRA and Phabricator, simplified Coinbase’s remediation process for valid reports.
The Bishop Fox team of security experts have been managing bounty programs since 2011, before bug bounty became an established security norm. With bug bounty hall of famers on their team, they provide big picture insight into common patterns of reported bugs and have experience from both sides of the hunt.
Bishop Fox applied their security expertise and experience to evaluate, flag, and prioritize the most important vulnerabilities to Coinbase. “We provided initial triage and assessment of incoming bug reports, passing on the most useful to Coinbase’s security team. We found the real threats and filtered out the fakes so Coinbase could focus on making improvements instead of validating findings,” said a Bishop Fox security analyst.
Bishop Fox’s curated lists of submissions increased the signal-to-noise ratio, reducing the amount of time that the Coinbase team had to spend on validation and remediation.