When News Outlets and Security Researchers Collide

The dispute highlights the murky world of penetration testing, bug bounties, and vulnerability disclosures. After all, what happens when a company refuses to pay a fair (or unfair) price for a flaw that could have had disastrous consequences?

White Knight or Extortionist?

In the Tweets fired out by The Block founder Mike Dudas, it was reported that Abdulhassan had uncovered a security vulnerability in the back-end of The Block and would disclose the mechanisms behind the flaw in return for a reward. Despite deleting the original tweets, The Block has published a write-up of the events on its Medium channel. According to the report, a vulnerability in the way The Block‘s automation server operated led to the public exposure of security tokens which could have been used to gain administrative access to the platform. Following a standoffish back and forth between the two, Abdulhassan was offered $500 for the disclosure, to which Abdulhassan maintained that the amount was low compared to the $10,000 paid by a smaller platform upon the discovery of a similarly severe security vulnerability. In an apparent email between Abdulhassan and The Block, the CoinMall founder mentioned that publicly releasing the information could have a knock-on effect on premium subscriber counts — potentially affecting the revenue of the platform. In the report, the news outlet further alleges that Abdulhassan attempted to gain free advertising from The Block as a reward for the disclosure, before apparently requesting a minimum of $1,500 as a reward. After The Block refused these terms, the report states that Abdulhassan then announced his plan to inform the wider public about the security issue.

Retaliation or Public Disclosure?

In response to the recent debacle, Abdulhassan promised to produce a full report detailing exactly how he gained access to the entire infrastructure of one of the largest blockchain news outlets. He also launched a poll, asking his Twitter followers how they would like to receive the public disclosure. According to Abdulhassan, the “public disclosure will showcase how technically incompetent they are, and their lackluster way of handling customer information.” This report has not yet been released at the time of writing.

“A slanderous attempt at trying to save face after their threatening lawyer letter did not scare me off, merely hours ago, in which I was told that “it would be wise to accept this and move on” (this referring to a $500 “reward”),” said Abdulhassan in a later tweet.

The move isn’t without its critics, however, drawing sarcastic comments from multiple people, many of which mocked the CoinMall CEO for apparently attempting to extort The Block. In a statement to BeInCrypto, Abdulhassan fired back with;

“Despite their allegations of a “shakedown” it was anything but that. My only motivation was to inform their site visitors and Genesis subscribers about the severity of the disclosure which could have jeopardized their info in the process.”

Recently, CoinMall made headlines after removing Zcash (ZEC) and Bitcoin Cash (BCH) from its platform, joining a growing list of cryptocurrency-enabled platforms in delisting the two controversial coins. What do you think of the situation between Abdulhassan and The Block, is $500 sufficient payment for the disclosure of a critical vulnerability? Let us know your thoughts in the comments below! Buy and trade cryptocurrencies with a 100x multiplier on our partner exchange, StormGain.