What is a bug bounty programme?

In the cybersecurity business, and particularly when it comes to blockchain, many companies use a bug bounty programme. But what is it?

With over $1.5 billion worth of cryptocurrency stolen in 2018, the industry has proven to be a paradise for hackers. All the talk of blockchain technology being secure doesn’t make it bulletproof. And as for secondary software like wallet providers and exchanges, many still remain woefully vulnerable. This is where preventative initiatives like a bug bounty programme come in.

What exactly is a bug bounty programme?

In reality, ‘bug bounty’ has become the buzzword de jour. Other names for this type of cybersecurity activity are ethical hacking, white hat hacking, vulnerability rewards programme (VRP), and so on.

However, the key difference between a bug bounty programme and white hat hacking is that the programme is initiated by the company itself. They actively invite hackers to look for flaws in their system and compensate them when they do.

Many websites and software vendors pay a healthy compensation to ethical hackers who find flaws and report them. The bug reports need to contain enough information for the company to be able to reproduce the vulnerability themselves.

Compensation is according to the size and scale of the vulnerability and the impact it could have. According to sources, Mozilla typically paid out a flat fee of $3,000 per bounty, whereas Facebook has paid up to $20,000. Apple even shelled out as much as $200,000 for a flaw in its iOS secure boot firmware components.

Stopping the hackers before the damage is done

Staying one step ahead of hackers is essential. That’s why blockchain companies should always have some kind of bug bounty programme or Ongoing Crowdsource Security Assessment (OCSA) in place. However, according to research on the top 100 cryptocurrency exchanges, only 13% of them do.

Bug bounty programmes are usually very effective, but they can be controversial. After all, you’re essentially incentivising illegal activity – or worse, encouraging hackers who already steal funds to make an extra living.

That said, a bug bounty programme can also result in employment and long-lasting relationships, as is the case with cybersecurity specialists Red4Sec and NEO.

An example of ethical hacking as a service

According to the co-founders of Red4Sec, Fernando Díaz Toledano and Jaime Kindelan, bug bounty programmes are even more relevant in blockchain than traditional internet applications. Why? Because of blockchain’s immutability.

Jaime explains: “The main difference is that if you commit an error with blockchain, it is immutable. So, if you find an issue, it’s much harder to fix. The blockchain is designed to not be changed. So it’s much more important to be aware of all the potential problems in the initial phase.”

Fernando echoes his words: “If you find a flaw in the blockchain, it’s not that easy to change it. It’s already written in the blockchain, it’s not like the web. Like with the hacks, once the funds have gone, they’ve gone. So it’s much more critical to concentrate on security and prevention in the initial phase.”

This is where ethical hacking (or bug bounties) comes into play. The Red4Sec team has offered traditional cybersecurity services for many years. But, impassioned by new technology and always on a quest to learn more, they began analysing blockchains in 2017 and decided to focus on NEO.

Jaime recalls: “Through our analysis, we found a couple of important vulnerabilities and we reported them to NEO. They liked how we did it, they gave us compensation and a three-month trial monitoring their blockchain. Since then, we have kept working with them and the City of Zion developers as well.”

Fernando interrupts: “We have a very good relationship with them now, we’re actually members of the City of Zion and we’re also members of the NEO core development team. We’re very close.”

Putting yourself in the shoes of a hacker

I ask what’s the first thing they do when looking for ways to hack a blockchain. And for readers who didn’t know, it’s a myth that blockchains cannot be hacked. It’s just that the effort vs reward trade-offs are higher on some blockchains than others.

Hacking the Bitcoin blockchain, for example, is technically possible, but it would require the resources of a small country and the payout would be less than the expense. Smaller blockchains and certainly private blockchains are much easier targets.

Jaime continues: “What we do is analyse the code of the application, the smart contract, or the blockchain itself and ensure that there are no security vulnerabilities.

“Then we do an auditorial phase…. We put ourselves in the shoes of the hacker and try to think about how a hacker would attack and how they would steal the money. Once we have found the way in, we correct it so that the window of opportunity is gone.”

Final thoughts

Bug bounties, ethical hacking, and any type of programme that finds flaws before hackers is vital to the continued security and evolution of blockchain technology.

Companies like Red4Sec certainly have plenty of work considering the sheer volume of breaches and hacks in exchanges, blockchains, and smart contracts. However, even contemplating an increasingly large attack surface, this team isn’t deterred. They still believe that blockchain is the future and that all applications will eventually migrate to it.

And while there are plenty of breaches, Fernando ends on a positive note: “When we started in blockchain security, we definitely saw a lot of projects that were lax with their security and didn’t look into it enough. We’ve seen much more awareness over security lately, and it’s definitely improving.”

Related Articles