Coinbase Bug Bounty Award
Coinbase is one of the best Bitcoin related sites/services. They’re certainly the easiest way to buy or sell Bitcoin if you have a U.S. bank account. When I saw their Bug Bounty program where they offer $1,000 USD worth of Bitcoin if you find a security vulnerability, it improved my trust in their security, but of course also made me want to look for security bugs…
I had recently heard about Burp and wanted to play around with it. When I had some spare time around Thanksgiving, I fired it up and started poking at all the forms in the various Coinbase settings pages, trying to find an XSS or other security issue. I pretty quickly managed to generate a few 500 errors, but that wouldn’t be enough. But within a couple hours I found what I considered to be a real XSS issue. It wasn’t a huge issue, and not something a large number of users would have been affected by, but could result in an XSS nevertheless.
It took a while for them to get back to me, but eventually they agreed it was an XSS and granted me the $1000 worth of BTC and added me to their Awards section!