The company stated that it still welcomes “responsible” disclosure of security issues, but users who abuse this process will not be awarded bug bounties:

The official Coinbase bug bounty reporting page at HackerOne

The verdict Coinbase was referring to was issued on October 5. Joe Sullivan, former Uber security chief, was found guilty of colluding with attackers to cover up evidence of a data breach, according to a report by the Washington Post. Sullivan had originally claimed that the attackers had submitted the breach as a bug bounty and that the company had paid them as a bug bounty reward.

Tech companies often use bug bounties to encourage white hat hackers to find security vulnerabilities and report them. But the Sullivan verdict has raised the question of how far a bug bounty program can go in awarding prizes to hackers without running afoul of the law itself.

In its post, Coinbase stated that it has encountered some bug bounty participants who claim to have committed criminal actions that would prevent the company from being able to legally make a payout.

For example, a participant submitted multiple emails to the team saying that they had “306 million users data fully dehashed” and a “bypass” to skip the 48 hour waiting period on new devices. According to Coinbase, if this person had such information, it would mean that they accessed customer data beyond what could be considered “good faith” or “accidental.” In such a case, Coinbase would not be able to pay the bounty.

In this particular case, Coinbase said they believed that the participant was making a false claim. The