Coinbase Program Statistics


View program

82 total issues disclosed

$100,150 total paid publicly

Most disclosed (17 disclosures) — None supplied



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
User provided values trusted in sensitive actions None supplied paulos_ No rating 2018-04-09
User provided values passed to PHP unset() function Type Confusion paulos_ No rating 2018-04-09
Double Payout via PayPal Business Logic Errors dawgyg Critical 2018-04-04
ETH contract handling errors Business Logic Errors ambisafe Critical 2018-04-04
ETH contract handling errors Business Logic Errors ambisafe Critical 2018-04-04
Prepopulation of email address and name leaks information provided to other merchants UI Redressing (Clickjacking) cablej No rating 2018-04-02
Stored CSS Injection Resource Injection cablej No rating 2018-04-02
Ethereum account balance manipulation Business Logic Errors vicompany Critical 2018-03-21
Ethereum account balance manipulation Business Logic Errors vicompany Critical 2018-03-21
New Device Confirmation Bug None supplied whysoleet No rating 2017-09-09
Captcha Bypass in Coinbase SignUp Form Violation of Secure Design Principles tejpratap Low 2017-09-05
Information disclosue in Android Application Denial of Service mangotango Low 2017-08-31
Inaccurate Payment receipt None supplied dpgribkov No rating 2017-08-31
Information disclosure in coinbase android app Improper Authentication - Generic 7h3_3y3 Low 2017-08-31
Csrf bug on signup session Cross-Site Request Forgery (CSRF) dark_heaven No rating 2017-08-31
CSRF bug on password change Cross-Site Request Forgery (CSRF) dark_heaven No rating 2017-08-28
XSSI (Cross Site Script Inclusion) Cross-Site Request Forgery (CSRF) paulos_ No rating 2017-08-23
Device confirmation Flaw None supplied mohammad_obaid None 2017-08-02
Information disclosure same issue #176002 None supplied port Low 2017-07-21
Open redirect on sign in Open Redirect dark_heaven Low 2017-06-23
X-Frame-Options UI Redressing (Clickjacking) dark_heaven None 2017-06-22
[buy.coinbase.com]Content Injection None supplied mga_bobo Low 2017-05-26
Requestor Email Disclosure via Email Notification Information Disclosure japz Low 2017-02-02
Authentication Issue Privilege Escalation bugdiscloseguys Low 2017-01-06
Content Injection error page Violation of Secure Design Principles dr_dragon No rating 2017-01-06
Application error message Information Disclosure dr_dragon No rating 2016-11-28
Window.opener bug at www.coinbase.com None supplied punkrock No rating 2016-11-28
Information leakage on https://docs.gdax.com Information Disclosure ahmed_ezzat_nasr0x No rating 2016-11-28
ByPassing the email Validation Email on Sign up process in mobile apps Violation of Secure Design Principles kaleemgiet No rating 2016-11-28
Information disclosure of user by email using buy widget Information Disclosure cablej Medium 2016-11-16
Runtime manipulation iOS app breaking the PIN Violation of Secure Design Principles kaleemgiet No rating 2016-11-16
coinbase Email leak while sending and requesting Improper Authentication - Generic anda123 Low 2016-10-11
Blacklist bypass on Callback URLs Information Disclosure agarri_fr No rating 2016-09-14
window.opener is leaking to external domains upon redirect on Safari Violation of Secure Design Principles cablej No rating 2016-08-22
Create Multiple Account Using Similar X-CSRF token Violation of Secure Design Principles rajauzairabdullah No rating 2016-08-09
The 'Create a New Account' action is vulnerable to CSRF Cross-Site Request Forgery (CSRF) roshanpty No rating 2016-07-24
An adversary can overwhelm the resources by automating Forgot password/Sign Up requests Improper Authentication - Generic roshanpty No rating 2016-07-24
No authorization required in iOS device web-application Improper Authentication - Generic ahsan No rating 2016-06-30
No authorization required in Windows phone web-application Improper Authentication - Generic ahsan No rating 2016-06-30
Transaction Pending Via Ip Change None supplied anik No rating 2016-06-08
Cookie not secure None supplied thalaivarsubu No rating 2016-05-25
Email leak in transcations in Android app Violation of Secure Design Principles bountypls No rating 2016-05-17
User's legal name could be changed despite front end controls being disabled Violation of Secure Design Principles apok No rating 2016-05-05
Sending payments via QR code does not require confirmation Improper Authentication - Generic atheistoffail No rating 2016-04-22
Direct URL access to completed reports Improper Authentication - Generic roshanpty No rating 2016-03-06
Misconfiguration in 2 factor allows sensitive data expose Information Disclosure codequick No rating 2016-03-04
Balance Manipulation - BUG None supplied datokaa No rating 2016-02-26
Session Issue Maybe Can lead to huge loss [CRITICAL] Cryptographic Issues - Generic bountypls No rating 2016-02-21
OAuth authorization page vulnerable to clickjacking Improper Authentication - Generic paulos_ No rating 2016-02-07
Big Bug with Vault which i have already reported: Case #606962 None supplied datokaa No rating 2016-01-20
Race condition allowing user to review app multiple times None supplied cablej No rating 2016-01-14
Potential for Double Spend via Sign Message Utility Cryptographic Issues - Generic ddworken No rating 2016-01-06
User email enumuration using Gmail Information Disclosure paulos_ No rating 2015-12-23
HTML injection in apps user review None supplied s1ck-sec No rating 2015-12-21
XXE in OAuth2 Applications gallery profile App logo None supplied s1ck-sec No rating 2015-12-16
Transactions visible on Unconfirmed devices Improper Authentication - Generic shahmeer-amir No rating 2015-12-11
Stored-XSS in https://www.coinbase.com/ Cross-site Scripting (XSS) - Generic hazimaslam No rating 2015-12-07
OAUTH pemission set as true= lead to authorize malicious application Improper Authentication - Generic paresh_parmar No rating 2015-12-01
iframes considered harmful Violation of Secure Design Principles androm3da No rating 2015-12-01
SPF records not found Violation of Secure Design Principles brain No rating 2015-10-14
Two-factor authentication (via SMS) Improper Authentication - Generic dia2diab No rating 2015-06-16
New Device confirmation tokens are not properly validated. Improper Authentication - Generic born2hack No rating 2015-05-25
New Device Confirmation, token is valid until not used. Cryptographic Issues - Generic lovepakistan No rating 2015-05-24
Sandboxed iframes don't show confirmation screen UI Redressing (Clickjacking) homakov No rating 2015-04-04
Invoice Details activate JS that filled in Cross-site Scripting (XSS) - Generic sasi2103 No rating 2015-03-30
Credit Card Validation Issue None supplied whitj00 No rating 2015-03-12
open authentication bug Improper Authentication - Generic ckmk44 No rating 2015-03-11
Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code Information Disclosure prakharprasad No rating 2014-11-26
Leaking CSRF token over HTTP resulting in CSRF protection bypass Cross-Site Request Forgery (CSRF) anshuman_bh No rating 2014-10-16
Bypassing 2FA for BTC transfers Improper Authentication - Generic michiel No rating 2014-09-25
Simultaneous Session Logon : Improper Session Management Improper Authentication - Generic 0ctac0der No rating 2014-08-26
2FA settings allowed to be changed with no delay/freeze on funds Violation of Secure Design Principles bbohn No rating 2014-08-25
CSRF on "Set as primary" option on the accounts page Cross-Site Request Forgery (CSRF) anshuman_bh No rating 2014-07-26
CSRF in function "Set as primary" on accounts page Cross-Site Request Forgery (CSRF) 0ctac0der No rating 2014-06-06
2 factor authentication design flaw Violation of Secure Design Principles ryancollins No rating 2014-06-06
Multiple Issues related to registering applications Violation of Secure Design Principles anshuman_bh No rating 2014-05-29
Coinbase Android Security Vulnerabilities Cryptographic Issues - Generic bryanstern No rating 2014-05-07
Information Disclosure That shows the webroot of CoinBase Server Information Disclosure mazen160 No rating 2014-05-04
Cookie missing the HttpOnly flag None supplied 0xsaikiran No rating 2014-04-30
IFRAME loaded from External Domains None supplied 0xsaikiran No rating 2014-04-30
Improper Validation of the Referrer header leading to Open URL Redirection Open Redirect anshuman_bh No rating 2014-04-29
User Enumeration, Information Disclosure and Lack of Rate Limitation on API Violation of Secure Design Principles zero No rating 2014-03-31