From fdb298de756bbae69ba98a36e34a3276d1e24bc8 Mon Sep 17 00:00:00 2001
From: awilliams1-cb <148368153+awilliams1-cb@users.noreply.github.com>
Date: Tue, 28 Apr 2026 10:27:57 -0400
Subject: [PATCH] Add SECURITY.md

---
 SECURITY.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..9c7a3c8
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,22 @@
+# Security
+
+## Bug bounty program
+
+In line with our strategy of being the safest way for users to access crypto:
+
++ Coinbase extended our [best-in-industry](https://www.coinbase.com/blog/celebrating-10-years-of-our-bug-bounty-program) million-dollar [HackerOne bug bounty program](https://hackerone.com/coinbase?type=team) to cover the Base network and Base infrastructure.
+
++ Coinbase has launched a 5 million-dollar [Cantina bug bounty program](https://cantina.xyz/code/55316f42-3c5e-4746-9bd0-0f18dcbc344b) to cover all deployed smart contracts for Base, and those used as part of Coinbase products and services.
+
+## Reporting vulnerabilities
+
+All potential vulnerability reports can be submitted via the following platforms:
+
+1. [**HackerOne**](https://hackerone.com/coinbase): For offchain components and services.
+   For more information on reporting vulnerabilities and our HackerOne bug bounty program, view our [security program policies](https://hackerone.com/coinbase?view_policy=true).
+
+2. [**Cantina**](https://cantina.xyz/bounties/55316f42-3c5e-4746-9bd0-0f18dcbc344b): For deployed smart contracts.
+   For more information on what smart contracts are considered within the scope of the Cantina bug bounty program, view our [Tier 0](https://cantina.xyz/code/55316f42-3c5e-4746-9bd0-0f18dcbc344b/overview?overviewTab=1&assetGroup=0) and [Tier 1](https://cantina.xyz/code/55316f42-3c5e-4746-9bd0-0f18dcbc344b/overview?overviewTab=1&assetGroup=1) scope guides.
+
+
+For all other security related inquiries, please reach out to [security@coinbase.com](mailto:security@coinbase.com).
\ No newline at end of file