Skip to Content

Bitcoin Shop Coinbase Boosts Hacker Bounties to $50,000

The surging value of bitcoin has been a boon for the San Francisco exchange Coinbase, leading to higher revenue from commissions and a flood of new customers. One downside, though, is that the stakes are higher than ever when it comes to hacking.

Now that bitcoin prices are topping $6,000, any cyber crook who can break through Coinbase’s digital defenses could make out like a modern day Jesse James by plundering customer accounts. That’s one reason Coinbase has decided to increase the prizes it pays under a bug bounty program—a system that rewards hackers for privately disclosing computer vulnerabilities, which in turn allows companies to patch their systems before bad guys can exploit them.

Bug bounties used to be controversial, largely because companies feared they would invite cyber-attacks. But after tech firms like Google and Facebook proved the efficacy of bug bounties, a growing number of other organizations followed suit, including more traditional firms like GM and, beginning last year, the Department of Defense.

In the case of Coinbase, the digital currency exchange last week boosted its top bounty to $50,000 for critical vulnerabilities, and also increased rewards for more minor vulnerabilities.

According to Coinbase’s head of security, Philip Martin, the company’s bug bounty has paid out $176,031 in rewards to a total of 223 researchers in the last few years.

Speaking at a San Francisco conference hosted by the bug bounty firm HackerOne, Martin also explained that bounty programs only work if a company has the rest of its security operations in order.

“Bug bounties are only productive if you have a strong internal reporting process to start with. Do it badly, and [vulnerability reports will be ignored] and you’ll make hackers angry,” he said.

Get Data Sheet, Fortune’s technology newsletter.

Martin also explained that even a well run bug bounty program generates more noise than signal, saying only about 11% of all reports Coinbase receives amount to an actual security vulnerability.

He added that Coinbase, like other companies, continue to receive emails from suspicious people who claim to have found a vulnerability, and will only reveal it in exchange for a few bitcoin.

“We treat it like the attempted extortion it is—and ignore it,” Martin said.

Martin also disclosed that Coinbase has yet to pay out its top prize under the bug bounty program, in part because, as he said “our security doesn’t suck.”

Securing the code on its website is just one part of the security challenge for sites like Coinbase, however. As my colleague Jen Wieczner has reported, Coinbase faces a staggering amount of fraud that arises from crooks duping customers into revealing their passwords and then robbing their accounts.

Nonetheless, for firms like Coinbase, bug bounty programs appear to be an essential part of locking down the technical part of their security operations.