Full transcript of correspondence with CEX.io. For more details, see Reporting a Vulnerability to CEX.io.

Date: Sun, 13 Oct 2013 14:49:31 -0400 Subject: White Hat Bug Bounty Program From: Michael To: webmaster@cex.io Hi CEX Folks, Do you have a bug bounty program for ethical security researchers to report security vulnerabilities to your site? Thanks, Michael

Date: Sun, 13 Oct 2013 18:59:59 +0000 From: "CEX.IO" <webmaster@cex.io> To: Michael Subject: [CEX.IO] Re: White Hat Bug Bounty Program ##- Please type your reply above this line -## [CEX.IO] Re: White Hat Bug Bounty Program Your request (199) has been solved. To reopen this request, reply to this email. ---------------------------------------------- Jeffrey, Oct 13 18:59 (UTC) We can discuss this matter. Please send us an email with your proposal to [redacted] Thank you. Yours Truly, Jeffrey Smith Head of Customer Service Department

Date: Sun, 13 Oct 2013 16:01:19 -0400 Subject: White Hat Bug Bounty Program From: Michael To: Jeffrey Smith Hi Jeffrey, I'm a software security consultant in the US as my main profession, but I enjoy participating in bug bounty programs in my spare time, especially within the Bitcoin community. I reported a bug to Bitmit a few months ago and they rewarded me with a bounty. Coinbase has a published bounty program: https://coinbase.com/whitehat http://donncha.is/2013/06/coinbase-owning-a-bitcoin-exchange-bug-bounty-program/ And outside of the Bitcoin community, Google has a pretty well respected bounty program: https://www.google.com/about/appsecurity/reward-program/ Can you tell me if CEX already has a system in place, or if, not, what you would pay as rewards for different kinds of vulnerabilities? Thanks, Michael

Date: Mon, 14 Oct 2013 23:33:26 -0400 Subject: Re: White Hat Bug Bounty Program From: Michael To: Jeffrey Smith Hi Jeffrey, Is CEX interested in paying a bounty for vulnerability information? Thanks, Michael

Date: Tue, 15 Oct 2013 16:09:50 +0300 From: Jeffrey Smith To: Michael Subject: Re: White Hat Bug Bounty Program Hey Michael, Lets get back to this conversation in a couple of days. Thanks.

Date: Tue, 15 Oct 2013 09:45:06 -0400 Subject: Re: White Hat Bug Bounty Program From: Michael To: Jeffrey Smith Hi Jeffrey, Is there someone else at CEX I should reach out to? I'd like to get these issues on your radar as soon as possible. I'm really excited about CEX and think it's a great idea, but I've had to withdraw all funds from my account because of the site's security issues. Thanks, Michael

Date: Fri, 18 Oct 2013 10:11:56 -0400 Subject: Re: White Hat Bug Bounty Program From: Michael To: Jeffrey Smith Hi Jeffrey, Any updates on this? Thanks, Michael

Date: Mon, 21 Oct 2013 19:04:10 +0300 From: Jeffrey Smith To: Michael Subject: Re: White Hat Bug Bounty Program Hi Michael, We are willing to provide you free GH/s for bug reports. Please tell me if you have found any. Thank you. -- Yours Truly, Jeffrey Smith CEX.IO

Date: Mon, 21 Oct 2013 12:18:03 -0400 Subject: Re: White Hat Bug Bounty Program From: Michael To: Jeffrey Smith Hi Jeffrey, Do you have a PGP key or should I just use normal email? Thanks, Michael

Date: Mon, 21 Oct 2013 19:18:58 +0300 From: Jeffrey Smith To: Michael Subject: Re: White Hat Bug Bounty Program Hi Michael, I don't have a PGP key. Lets use normal mail for now. Yours Truly, Jeffrey Smith CEX.IO

Date: Mon, 21 Oct 2013 20:16:35 -0400 Subject: Re: White Hat Bug Bounty Program From: Michael To: Jeffrey Smith Hi Jeffrey, CEX is vulnerable to CSRF attacks. This occurs when sites on other domains can force users to take actions on the CEX domain without the user's consent. An attacker can construct a malicious page (e.g. evil.com) and entice a victim CEX user to visit the evil page. The evil page then uses JavaScript to force the user's browser to make a request to CEX. Specifically, they could force the user to sell GHS at a very low price / buy at a very high price. The attacker can also force victim users to withdraw to a Bitcoin wallet of the attacker's choosing, though the risk there is somewhat limited by the fact that your withdrawals require email confirmation. I have created two proof of concept pages. Please be aware that visiting these sites will cause you to perform actions in your CEX account without your consent (though I have made efforts to make these actions as harmless as possible for demonstration) . https://[removed] If a CEX user visits this page while logged into CEX, it will cause them to place a buy order for 1 GHS at a price of 0.00001 BTC. Note that I deliberately chose a low buy price to make the proof of concept safe to test, as a buy order at 0.00001 BTC is unlikely to be fulfilled, but I could just as easily have set the price to 100 BTC in order to force victim users to purchase GHS at very high rates. https://[removed] If a CEX user visits this page while logged into CEX, it will cause them to make a withdrawal request for .01 BTC to my personal Bitcoin wallet. As mentioned above, this risk is somewhat reduced by the fact that the user must also confirm the withdrawal via email, but seeing unauthorized withdrawal requests would likely alarm your users. The solution is to use CSRF tokens. These are unpredictable values that are included in every authorized request that causes a change in state (e.g. buy orders, sell orders, withdrawal, logout). The server must validate that all such requests include the correct CSRF token or the request is dropped. CEX appears to already be using a web framework that includes CSRF tokens, as the HTTP requests include a parameter called "_csrf" but it is currently empty and has no effect on requests. CEX needs to enforce CSRF protections in order to mitigate this vulnerability. More information about CSRF attacks is available through OWASP<https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)> . Please let me know if there is any additional information that I can provide to help you in remediating this issue. Thanks, Michael

Date: Tue, 22 Oct 2013 12:23:01 +0300 From: Jeffrey Smith To: Michael Subject: Re: White Hat Bug Bounty Program Hey Michael, Thank you for your email. We will investigate this vulnerability as well as negotiate about a bonus for your work. Will get back to you ASAP. -- Yours Truly, Jeffrey Smith CEX.IO

Date: Mon, 4 Nov 2013 21:02:41 -0500 Subject: Re: White Hat Bug Bounty Program From: Michael To: Jeffrey Smith Hi Jeffrey, I see that CEX has remediated the CSRF vulnerability that I reported. When can I expect CEX to pay the bounty for reporting this issue? Thanks, Michael

Date: Sat, 9 Nov 2013 13:16:30 -0500 Subject: Re: White Hat Bug Bounty Program From: Michael To: Jeffrey Smith Cc: webmaster@cex.io Hi Jeffrey, It has now been almost 3 weeks since I reported the CEX's CSRF vulnerability to you. I have not received payment, and you are not responding to emails. I'm becoming concerned that you may not honor our agreement. Please respond with details of when I can expect payment for reporting CEX's security vulnerability. Thanks, Michael

Subject: Re: White Hat Bug Bounty Program Date: Mon, 11 Nov 2013 14:07:48 +0200 From: Jeffrey Smith To: Michael Hey Michael, Thank you for your email. I apologise for the delay in our communication, as we were busy with processing all feature requests. I talked to the upper management about the vulnerability you have found. Their response was that they were aware of this vulnerability, but it was not in our priority list. However it is now, and I've negotiated a bounty in the amount: 0.2BTC. Please tell me if its ok with you and I will transfer funds to your account. Yours Truly, Jeffrey Smith

Date: Mon, 11 Nov 2013 09:03:29 -0500 Subject: Re: White Hat Bug Bounty Program From: Michael To: Jeffrey Smith Hi Jeffrey, That's a very low bounty, but since we never negotiated a price, I'll take what you offer. At that rate, it is not worth my time to report other vulnerabilities to CEX. For comparison, take a look at Coinbase's rates (keeping in mind that at the time of publication, 1 BTC was ~$100 USD). Please send payment to 1NcLF2FVewJmeuNsRc5vxmNc9ysXN9xyr4 Please also pass along my feedback to your upper management: - Many customers will not be comfortable trusting their money to a company that knowingly exposes them to serious security vulnerabilities - Security researchers will not be interested in responsibly disclosing vulnerabilities to CEX if the company pays very low bounties and fails to communicate with researchers in a timely fashion. Thanks, Michael

Date: Mon, 11 Nov 2013 16:26:55 +0200 Subject: Re: White Hat Bug Bounty Program From: Jeffrey Smith To: Michael Hey Michael, Thank you, I will forward your message to the upper management. I will also leave your contacts in case they need you. Yours Truly, Jeffrey Smith