Official Coinbase response to sharing your personal details with the internet: Email Address / User enumeration on Coinbase: We've spent a good amount of time investigating this behavior and we believe that the risks are incredibly minor.
Gee, that's just what I look for in a financial service provider! This is the natural, uncontrolled result of Silicon Valley startup culture meets financial services. It's hard to get everything right, all the time, but particularly when operating in a financial domain it seems companies are better off accepting the severity of security issues and rewarding and engaging people who have taken the time to raise them than creating PR problems by demonstrating a lack of professionalism through suggesting that customer information (name, email, fact they use your service) is of no consequence and that enumeration issues are invalid.
Clearly:
(1) most users care about their privacy and time (ie. the sanctity of their inbox);
(2) the issue has been misevaluated by Coinbase; and
(3) the poster has been extremely patient and deserves an apology.
(Disclaimer: I, too, grew up in Sydney and spent my younger years doing security research. I work at one of Coinbase's competitors, Payward, operator of the Kraken exchange. We have an extremely successful bounty program that frequently pays out for all sorts of little issues. We consider this a requirement for security-conscious operation on the modern internet. After all, security is a process! Should security researchers choose to dedicate some of their valuable time to helping us improve our systems, I can promise them - at the bare minimum - a friendlier and less dismissive response.)
Gee, that's just what I look for in a financial service provider! This is the natural, uncontrolled result of Silicon Valley startup culture meets financial services. It's hard to get everything right, all the time, but particularly when operating in a financial domain it seems companies are better off accepting the severity of security issues and rewarding and engaging people who have taken the time to raise them than creating PR problems by demonstrating a lack of professionalism through suggesting that customer information (name, email, fact they use your service) is of no consequence and that enumeration issues are invalid.
Clearly:
(1) most users care about their privacy and time (ie. the sanctity of their inbox);
(2) the issue has been misevaluated by Coinbase; and
(3) the poster has been extremely patient and deserves an apology.
(Disclaimer: I, too, grew up in Sydney and spent my younger years doing security research. I work at one of Coinbase's competitors, Payward, operator of the Kraken exchange. We have an extremely successful bounty program that frequently pays out for all sorts of little issues. We consider this a requirement for security-conscious operation on the modern internet. After all, security is a process! Should security researchers choose to dedicate some of their valuable time to helping us improve our systems, I can promise them - at the bare minimum - a friendlier and less dismissive response.)