Coindrawer Bug Bounty Finale
Coindrawer (now defunct) claimed to run a Bug Bounty program, offering recognition and a Bitcoin reward to people who submitted valid security issues in their platform. For many months, Coindrawer ignored my requests for updates on my submissions and did not honour their bounty program. On 12 June 2014, Coindrawer sent an email to its users stating that the service was shutting down due to banking and legal challenges as well as lack of interest. On 1 July 2014, Coindrawer paid a 1 BTC bounty as a reward for all outstanding submissions. I have donated this reward to the EFF.
My history with Coindrawer
Over several months, I submitted security bugs to Coindrawer under their Bug Bounty program. These bugs ranged in severity, from non-persistent XSS to persistent XSS and ability to steal funds from Coindrawer. Coindrawer tended to fix and reward the more critical issues, ignoring my submissions of lesser severity and ignoring my requests for updates. I notified Coindrawer of my intent to responsibly disclose the outstanding vulnerabilities, giving them ample time to fix the issues beforehand. On the dates I advised, I publicly disclosed the vulnerabilities, giving customers the opportunity to protect themselves against the threats. I respectfully asked Coindrawer to take what I thought were three reasonable actions - to honour outstanding submissions to their bounty program, to fix issues that they were aware of, and to shut down their bounty program if they did not intend to honour it. You can read more in my post 'Coindrawer Bug Bounty Experience' and in my public disclosures of issues (Links are at the end of this post).
Following my public disclosures, I asked Coindrawer if they would honour my publicly disclosed issues under their program (The terms of their program simply asked that participants "please give us a reasonable amount of time to respond to your report and address the bug before disclosing it publicly" - which I did).
On 12 June 2014, Coindrawer announced to their users that they would be shutting down.
Coindrawer said, 12 June 2014:
Subject: That's All Folks!
Coindrawer is Closing
It is with heavy heart that we have decided to shutter Coindrawer.
After spending a boatload of cash trying to offer some competition to Coinbase we found that the banking and legal challenges to be too great. Our most recent attempt was to open a simple altcoin exchange. That attempt has fallen on deaf ears.
So, it's been an interesting ride but it's time to move on to greener pastures. If you have coins in a Coindrawer wallet please remove them immediately as www.coindrawer.com will be unavailable within a few days.
Thank you for your support.
My motivation for publicly disclosing the vulnerabilities was to allow users of the service to take mitigating measures to protect themselves from the threats they presented.
My motivation for making the requests to Coindrawer, and for asking them if they would honour my submissions, was to hold them accountable for a program that they did not seem to intend to honour. In my opinion, Coindrawer acted improperly and unethically by advertising a program they did not intend to honour, encouraging users to discover and disclose vulnerabilities impacting them and their customers. This is antithetical to the recent Bug Bounty movement - to reward professionals who discover and disclose vulnerabilities before bad things happen, and to foster positive relationships between researchers and vendors/service owners.
As far as I'm concerned, the first of my motivations was addressed when they removed the functions of their platform that were responsible for the vulnerabilities I had identified. The second was addressed when they shut down the service entirely.
On 19 June 2014, Coindrawer contacted me asking for my Bitcoin address so they could send a reward for my outstanding submissions. I responded with my address on 1 July 2014, making my motivations so far clear, and stating that my outstanding concerns had been satisfied. I told Coindrawer that any reward they send me would be gratefully received and donated to the EFF.
Later on 1 July 2014, Coindrawer sent a reward of 1 BTC to cover all outstanding submissions.
Donation to the EFF
On 27 July 2014 I donated the reward to the EFF.
Coindrawer Bug Bounty Experience timeline
- Nov 2013 to Feb 2014 - Submission of vulnerabilities. Some vulnerabilities are patched and rewarded, some are not.
- Feb 2014 to Mar 2014 - Repeated requests for updates, no response from Coindrawer.
- 3 April 2014 - Notification to Coindrawer of responsible disclosure timeline.
- 17 April 2014 - Public disclosure of some issues.
- 26 April 2014 - Coindrawer resolves all outstanding issues.
- 1 May 2014 - Public disclosure of remaining issues.
- 12 June 2014 - Coindrawer notifies users of its cessation.
- 19 June 2014 - Coindrawer asks me for my Bitcoin address to send reward for outstanding issues.
- 1 July 2014 - I advise Coindrawer of my Bitcoin addesss, Coindrawer sends 1 BTC reward for outstanding issues.
- 27 July 2014 - I donate the reward to the EFF.
My experience with Coindrawer was frustrating and disappointing. I'm certain that had I not publicly disclosed the issues with a faithful attempt to coordinate with them, the issues would not have been fixed (I don't believe the vulnerable functionality would have been dropped until the service shuttered) and my submissions would not have been honoured under the program. Thanks to Coindrawer for eventually making good on their program's promise.
I have a series of posts regarding Coindrawer:
- Coindrawer Bug Bounty experience
- JSEC1046 - Coindrawer Persistent DOM XSS Disclosure (Paycoin Feature)
- JSEC1051 - Coindrawer Payment Replay Disclosure, Create Multiple Merchant Orders
- JSEC1053 - Coindrawer Provide Arbitrary Exchange Rate Disclosure
- JSEC1065 - Coindrawer Non-persistent XSS Disclosure (Buy/sell Orders Feature, Cancel_order Param)
- Coindrawer Bug Bounty finale