Coinbase is the world’s leading platform for buying and selling bitcoin, a person-to-person digital currency. The Bitcoin network touches thousands of computers and millions of participants globally, which keeps the Coinbase platform diverse and driven. Security is extremely important for Coinbase in its mission to bring bitcoin to the mainstream.
We provided initial triage and assessment of incoming bug reports, passing on the most useful to Coinbase’s security team. We found the real threats and filtered out the fakes so Coinbase could focus on making improvements instead of validating findings.
A Bishop Fox Security Analyst
Coinbase adopted the HackerOne platform to access top security researchers, manage vulnerability reports, and pay bounties; they engaged Bishop Fox to help oversee and validate the inbound report queue.
HackerOne provides a vulnerability coordination platform and workflow for interacting with and rewarding researchers. Their unique service introduced Coinbase to over 2,000 hackers within the HackerOne network, who increased the number of useful, valid vulnerabilities reported. Repeat reporters become an extension of the security team, often helping with remediation as they tried to hack the same issues after patches were released. HackerOne allowed Coinbase, Bishop Fox, and researchers to directly communicate and validate reports. HackerOne integration with common development issue trackers, such as JIRA and Phabricator, simplified Coinbase’s remediation process for valid reports.
The Bishop Fox team of security experts have been managing bounty programs since 2011, before bug bounty became an established security norm. With bug bounty hall of famers on their team, they provide big picture insight into common patterns of reported bugs and have experience from both sides of the hunt.
Bishop Fox applied their security expertise and experience to evaluate, flag, and prioritize the most important vulnerabilities to Coinbase. “We provided initial triage and assessment of incoming bug reports, passing on the most useful to Coinbase’s security team. We found the real threats and filtered out the fakes so Coinbase could focus on making improvements instead of validating findings,” said a Bishop Fox security analyst.
Bishop Fox’s curated lists of submissions increased the signal-to-noise ratio, reducing the amount of time that the Coinbase team had to spend on validation and remediation.