There is a discussion on that thread about the bounty being rather small compared to the damage it could have caused the crypto market and/or Coinbase’s stock/reputation. It’s low relative value is even being cited as a risk to future bugs not being responsibly disclosed.<p>It is however important to consider the technical complexity, effort, and exploitability when valuing an exploit. This was a very, VERY simple bug to find and with KYC very obvious and unlikely truly monetizable without consequences if exploited (unlike say getting access to the private key of a hot wallet). The biggest damage would have been reputational (though a rational person should consider the fact this kind of missing condition check bug made it to production a major issue already). The market would have recovered from whatever flash crash ensued and the attacker wouldn’t be likely to keep their winnings.<p>Kudos to tree_of_alpha for being the first to look at the API, spotting this, and reporting responsibly - $250k for what appears to be under an hour of work that was driven by curiosity is not a bad deal at all. I know Brian Armstrong frequents HN so it will indeed be interesting to get his take on this as well if he was involved in it.