Demo
Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.
Demo
Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.

Capture the Coin

At Cobalt, we’re constantly thinking about how we can take application security to the next level. Today, we’re excited to launch Capture...

At Cobalt, we’re constantly thinking about how we can take application security to the next level. Today, we’re excited to launch Capture the Coin (#CTC), a contest that will allow us to experiment with a bitcoin bounties hidden within the Cobalt platform.

What is Capture the Coin?

Our Capture the Coin contest is a challenge similar to traditional Capture the Flag contests within the security community. Instead of capturing a flag, however, participants can capture bitcoin private keys hidden in parts of our web application that are inaccessible to regular users.

Anyone who finds a key can claim the bitcoin as a reward.

As part of our contest, we have created three bitcoin addresses and deposited rewards of 1.5 BTC, 1.0 BTC and 0.5 BTC respectively.

  • Nakamoto Reward, 1500 mBTC 1BreFzzWCYmfzHuUoKEMtwKxZMC8EwGX27 This reward is hidden in vulnerability #CC1_90, which was submitted against Cobalt’s own bug bounty program.

  • Dorian Reward, 1000 mBTC 1DBydAEMcDXz4n4W4dknuGqedBhrYc5MR3 This reward is hidden in the Capture the Coin reward program, which can be found under CTC_Business. If you manage to gain access to this private, invite-only reward program you will discover the bitcoin key here.

  • Scytale Reward, 500 mBTC 1KqJXTjkaBVY9Nkhbo7Qht2vkP7MpohZuf This reward is hidden in the address section of CTC_Tester. Address information is not visible to other users, but if you are able to find it, you can redeem 500 mBTC.

Experimenting with Bug Bounties

Because of its flexibility as a technology protocol, bitcoin enables us to experiment with monetary rewards in new ways like allowing us to build rewards directly into our website. To detect intrusion, we can set up automatic notifications when we see movements on specific bitcoin addresses, thereby building a monetary layered intrusion detection system.

For security researchers, a few of the advantages of hunting bitcoin private keys are that:

  • testers are rewarded immediately with minimal fees,

  • and testers do not have to wait for a third party to validate a bug report before claiming the reward.

If you are a security researcher who captures the coin, please let us know! We would love to recognize your efforts, and learn how you did it. If you participate in Capture the Coin and find any other vulnerabilities in the Cobalt platform, please submit those through our regular bug bounty program.

Go Capture the Coin!

#CTC

Back to Blog
About Jacob Hansen
Jacob Hansen is a Co-founder and Board Member at Cobalt, a fully remote cybersecurity company with a mission to modernize traditional pentesting via a SaaS platform coupled with an exclusive community of highly skilled testers. He formerly worked as Cobalt's Chief Executive Officer for nearly 10 years. Jacob's mission is to evolve traditional penetration testing services by engaging the best cybersecurity talent, via Cobalt’s Pentest as a Service (PtaaS) platform, and allowing customers to move from a static pentest to platform-driven pentest programs that drive better security and improve customer's return on investment. More By Jacob Hansen