How to report a security vulnerability in Coinbase Wallet?

Understanding Security Vulnerability Reporting in Coinbase Wallet

Coinbase Wallet, as a non-custodial cryptocurrency wallet, places high importance on user security and the integrity of its platform. When users or security researchers identify potential vulnerabilities, there is a formal process in place to ensure these issues are addressed efficiently and responsibly.

Steps to Report a Security Issue

1. Navigate to the official Coinbase security disclosure page, which serves as the primary channel for reporting vulnerabilities.
2. Review the scope of systems covered under their bug bounty program, including web applications, mobile apps, APIs, and smart contract interactions related to Coinbase Wallet.
3. Prepare a detailed report that includes the nature of the vulnerability, steps to reproduce it, affected components, and any supporting evidence such as screenshots or logs.
4. Submit the report through HackerOne, the third-party platform Coinbase uses to manage vulnerability disclosures and coordinate responses with researchers.
5. Refrain from public disclosure until Coinbase confirms the issue has been resolved to prevent exploitation by malicious actors.

Eligibility and Scope of Vulnerabilities

Not every technical observation qualifies as a valid security vulnerability. Coinbase maintains clear guidelines on what types of findings are eligible for recognition or rewards under their program.

1. Focus on high-impact issues such as unauthorized access to user funds, private key exposure, transaction manipulation, or bypassing authentication mechanisms.
2. Exclude low-severity findings like UI inconsistencies, spam attacks, or theoretical risks without practical exploit paths.
3. Include testing only within the boundaries of permitted assets and services; avoid social engineering, physical attacks, or denial-of-service attempts.
4. Ensure all testing adheres to legal and ethical standards—exploitation beyond proof-of-concept is strictly prohibited.
5. Recognize that vulnerabilities in third-party integrations may be out of scope unless they directly compromise Coinbase Wallet’s core functionality.

Rewards and Recognition for Researchers

Coinbase operates a bug bounty program that incentivizes ethical hackers and security professionals to contribute to platform safety.

1. Rewards vary based on severity, ranging from hundreds to tens of thousands of dollars for critical flaws.
2. Payouts are processed through HackerOne after validation and resolution of the reported issue.
3. Researchers can choose to remain anonymous or receive public acknowledgment in Coinbase’s hall of fame.
4. Timely communication is maintained throughout the investigation and remediation process.
5. Recurring contributors may gain trusted status, enabling faster triage and deeper collaboration.

Frequently Asked Questions

If unintended behavior occurs during authorized testing, immediately stop further actions and disclose the incident in your report. Honest mistakes made in good faith are treated differently than malicious activity.

Automated scanning tools are permitted only if they do not generate excessive traffic or disrupt service. Any tool that could impact availability or performance must be pre-approved.

Initial acknowledgment typically occurs within 72 hours. The timeline for full resolution depends on complexity but updates are provided regularly through the HackerOne portal.

Observations about on-chain patterns or public wallet addresses are generally not classified as vulnerabilities unless they reveal a flaw in Coinbase Wallet’s logic or interface leading to fund loss.