Reporting Vulnerabilities
Base routes vulnerability reports through two separate platforms so that each report reaches reviewers with the right domain expertise. Offchain components and services flow through Coinbase’s long-running HackerOne program, while findings in deployed smart contracts go to a dedicated Cantina program.
Bug bounty programs
Section titled “Bug bounty programs”Consistent with Base’s goal of being the safest way for users to access crypto, two complementary bounty programs cover the surface:
- The Coinbase HackerOne bug bounty program — a best-in-industry million-dollar program — has been extended to cover the Base network and Base infrastructure.
- A separate Cantina bug bounty program, with a 5 million-dollar reward pool, covers every deployed smart contract used by Base and by Coinbase products and services.
Where to submit a report
Section titled “Where to submit a report”Pick the platform that matches what you found:
-
HackerOne — for offchain components and services. Submissions are triaged around the clock by Coinbase engineers with the relevant domain expertise. The program’s full security policies describe scope, eligibility, and reward details.
-
Cantina — for deployed smart contracts. The covered contracts are enumerated in the program’s Tier 0 and Tier 1 scope guides.
For any other security-related question that does not fit either bounty program, reach the team at [email protected].