| User provided values trusted in sensitive actions |
None supplied |
paulos_ |
No rating |
2018-04-09 |
| User provided values passed to PHP unset() function |
Type Confusion |
paulos_ |
No rating |
2018-04-09 |
| Double Payout via PayPal |
Business Logic Errors |
dawgyg |
Critical |
2018-04-04 |
| ETH contract handling errors |
Business Logic Errors |
ambisafe |
Critical |
2018-04-04 |
| ETH contract handling errors |
Business Logic Errors |
ambisafe |
Critical |
2018-04-04 |
| Prepopulation of email address and name leaks information provided to other merchants |
UI Redressing (Clickjacking) |
cablej |
No rating |
2018-04-02 |
| Stored CSS Injection |
Resource Injection |
cablej |
No rating |
2018-04-02 |
| Ethereum account balance manipulation |
Business Logic Errors |
vicompany |
Critical |
2018-03-21 |
| Ethereum account balance manipulation |
Business Logic Errors |
vicompany |
Critical |
2018-03-21 |
| New Device Confirmation Bug |
None supplied |
whysoleet |
No rating |
2017-09-09 |
| Captcha Bypass in Coinbase SignUp Form |
Violation of Secure Design Principles |
tejpratap |
Low |
2017-09-05 |
| Information disclosue in Android Application |
Denial of Service |
mangotango |
Low |
2017-08-31 |
| Inaccurate Payment receipt |
None supplied |
dpgribkov |
No rating |
2017-08-31 |
| Information disclosure in coinbase android app |
Improper Authentication - Generic |
7h3_3y3 |
Low |
2017-08-31 |
| Csrf bug on signup session |
Cross-Site Request Forgery (CSRF) |
dark_heaven |
No rating |
2017-08-31 |
| CSRF bug on password change |
Cross-Site Request Forgery (CSRF) |
dark_heaven |
No rating |
2017-08-28 |
| XSSI (Cross Site Script Inclusion) |
Cross-Site Request Forgery (CSRF) |
paulos_ |
No rating |
2017-08-23 |
| Device confirmation Flaw |
None supplied |
mohammad_obaid |
None |
2017-08-02 |
| Information disclosure same issue #176002 |
None supplied |
port |
Low |
2017-07-21 |
| Open redirect on sign in |
Open Redirect |
dark_heaven |
Low |
2017-06-23 |
| X-Frame-Options |
UI Redressing (Clickjacking) |
dark_heaven |
None |
2017-06-22 |
| [buy.coinbase.com]Content Injection |
None supplied |
mga_bobo |
Low |
2017-05-26 |
| Requestor Email Disclosure via Email Notification |
Information Disclosure |
japz |
Low |
2017-02-02 |
| Authentication Issue |
Privilege Escalation |
bugdiscloseguys |
Low |
2017-01-06 |
| Content Injection error page |
Violation of Secure Design Principles |
dr_dragon |
No rating |
2017-01-06 |
| Application error message |
Information Disclosure |
dr_dragon |
No rating |
2016-11-28 |
| Window.opener bug at www.coinbase.com |
None supplied |
punkrock |
No rating |
2016-11-28 |
| Information leakage on https://docs.gdax.com |
Information Disclosure |
ahmed_ezzat_nasr0x |
No rating |
2016-11-28 |
| ByPassing the email Validation Email on Sign up process in mobile apps |
Violation of Secure Design Principles |
kaleemgiet |
No rating |
2016-11-28 |
| Information disclosure of user by email using buy widget |
Information Disclosure |
cablej |
Medium |
2016-11-16 |
| Runtime manipulation iOS app breaking the PIN |
Violation of Secure Design Principles |
kaleemgiet |
No rating |
2016-11-16 |
| coinbase Email leak while sending and requesting |
Improper Authentication - Generic |
anda123 |
Low |
2016-10-11 |
| Blacklist bypass on Callback URLs |
Information Disclosure |
agarri_fr |
No rating |
2016-09-14 |
| window.opener is leaking to external domains upon redirect on Safari |
Violation of Secure Design Principles |
cablej |
No rating |
2016-08-22 |
| Create Multiple Account Using Similar X-CSRF token |
Violation of Secure Design Principles |
rajauzairabdullah |
No rating |
2016-08-09 |
| The 'Create a New Account' action is vulnerable to CSRF |
Cross-Site Request Forgery (CSRF) |
roshanpty |
No rating |
2016-07-24 |
| An adversary can overwhelm the resources by automating Forgot password/Sign Up requests |
Improper Authentication - Generic |
roshanpty |
No rating |
2016-07-24 |
| No authorization required in iOS device web-application |
Improper Authentication - Generic |
ahsan |
No rating |
2016-06-30 |
| No authorization required in Windows phone web-application |
Improper Authentication - Generic |
ahsan |
No rating |
2016-06-30 |
| Transaction Pending Via Ip Change |
None supplied |
anik |
No rating |
2016-06-08 |
| Cookie not secure |
None supplied |
thalaivarsubu |
No rating |
2016-05-25 |
| Email leak in transcations in Android app |
Violation of Secure Design Principles |
bountypls |
No rating |
2016-05-17 |
| User's legal name could be changed despite front end controls being disabled |
Violation of Secure Design Principles |
apok |
No rating |
2016-05-05 |
| Sending payments via QR code does not require confirmation |
Improper Authentication - Generic |
atheistoffail |
No rating |
2016-04-22 |
| Direct URL access to completed reports |
Improper Authentication - Generic |
roshanpty |
No rating |
2016-03-06 |
| Misconfiguration in 2 factor allows sensitive data expose |
Information Disclosure |
codequick |
No rating |
2016-03-04 |
| Balance Manipulation - BUG |
None supplied |
datokaa |
No rating |
2016-02-26 |
| Session Issue Maybe Can lead to huge loss [CRITICAL] |
Cryptographic Issues - Generic |
bountypls |
No rating |
2016-02-21 |
| OAuth authorization page vulnerable to clickjacking |
Improper Authentication - Generic |
paulos_ |
No rating |
2016-02-07 |
| Big Bug with Vault which i have already reported: Case #606962 |
None supplied |
datokaa |
No rating |
2016-01-20 |
| Race condition allowing user to review app multiple times |
None supplied |
cablej |
No rating |
2016-01-14 |
| Potential for Double Spend via Sign Message Utility |
Cryptographic Issues - Generic |
ddworken |
No rating |
2016-01-06 |
| User email enumuration using Gmail |
Information Disclosure |
paulos_ |
No rating |
2015-12-23 |
| HTML injection in apps user review |
None supplied |
s1ck-sec |
No rating |
2015-12-21 |
| XXE in OAuth2 Applications gallery profile App logo |
None supplied |
s1ck-sec |
No rating |
2015-12-16 |
| Transactions visible on Unconfirmed devices |
Improper Authentication - Generic |
shahmeer-amir |
No rating |
2015-12-11 |
| Stored-XSS in https://www.coinbase.com/ |
Cross-site Scripting (XSS) - Generic |
hazimaslam |
No rating |
2015-12-07 |
| OAUTH pemission set as true= lead to authorize malicious application |
Improper Authentication - Generic |
paresh_parmar |
No rating |
2015-12-01 |
| iframes considered harmful |
Violation of Secure Design Principles |
androm3da |
No rating |
2015-12-01 |
| SPF records not found |
Violation of Secure Design Principles |
brain |
No rating |
2015-10-14 |
| Two-factor authentication (via SMS) |
Improper Authentication - Generic |
dia2diab |
No rating |
2015-06-16 |
| New Device confirmation tokens are not properly validated. |
Improper Authentication - Generic |
born2hack |
No rating |
2015-05-25 |
| New Device Confirmation, token is valid until not used. |
Cryptographic Issues - Generic |
lovepakistan |
No rating |
2015-05-24 |
| Sandboxed iframes don't show confirmation screen |
UI Redressing (Clickjacking) |
homakov |
No rating |
2015-04-04 |
| Invoice Details activate JS that filled in |
Cross-site Scripting (XSS) - Generic |
sasi2103 |
No rating |
2015-03-30 |
| Credit Card Validation Issue |
None supplied |
whitj00 |
No rating |
2015-03-12 |
| open authentication bug |
Improper Authentication - Generic |
ckmk44 |
No rating |
2015-03-11 |
| Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code |
Information Disclosure |
prakharprasad |
No rating |
2014-11-26 |
| Leaking CSRF token over HTTP resulting in CSRF protection bypass |
Cross-Site Request Forgery (CSRF) |
anshuman_bh |
No rating |
2014-10-16 |
| Bypassing 2FA for BTC transfers |
Improper Authentication - Generic |
michiel |
No rating |
2014-09-25 |
| Simultaneous Session Logon : Improper Session Management |
Improper Authentication - Generic |
0ctac0der |
No rating |
2014-08-26 |
| 2FA settings allowed to be changed with no delay/freeze on funds |
Violation of Secure Design Principles |
bbohn |
No rating |
2014-08-25 |
| CSRF on "Set as primary" option on the accounts page |
Cross-Site Request Forgery (CSRF) |
anshuman_bh |
No rating |
2014-07-26 |
| CSRF in function "Set as primary" on accounts page |
Cross-Site Request Forgery (CSRF) |
0ctac0der |
No rating |
2014-06-06 |
| 2 factor authentication design flaw |
Violation of Secure Design Principles |
ryancollins |
No rating |
2014-06-06 |
| Multiple Issues related to registering applications |
Violation of Secure Design Principles |
anshuman_bh |
No rating |
2014-05-29 |
| Coinbase Android Security Vulnerabilities |
Cryptographic Issues - Generic |
bryanstern |
No rating |
2014-05-07 |
| Information Disclosure That shows the webroot of CoinBase Server |
Information Disclosure |
mazen160 |
No rating |
2014-05-04 |
| Cookie missing the HttpOnly flag |
None supplied |
0xsaikiran |
No rating |
2014-04-30 |
| IFRAME loaded from External Domains |
None supplied |
0xsaikiran |
No rating |
2014-04-30 |
| Improper Validation of the Referrer header leading to Open URL Redirection |
Open Redirect |
anshuman_bh |
No rating |
2014-04-29 |
| User Enumeration, Information Disclosure and Lack of Rate Limitation on API |
Violation of Secure Design Principles |
zero |
No rating |
2014-03-31 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles