![](http://investorshub.advfn.com/images/default_ih_profile2_4848.jpg?cb=0)
Thursday, June 11, 2020 1:23:07 PM
ANDREY SHEVCHENKO
https://cointelegraph.com/news/an-army-of-hackers-can-make-crypto-safer-but-is-enough-being-done
Bug bounties have emerged as one of the key ways for companies to prevent catastrophic hacks.
In the past decade, hacking gradually became a respectable and potentially rewarding career thanks to the introduction of bug bounties.
While some organizations like Mozilla launched bug bounties all the way back in 2004, major impetus to the industry came when Google and Facebook rolled out similar programs in 2010 and 2011, respectively. Soon after, in 2011 and 2012, platforms like Bugcrowd and HackerOne commercialized bug bounties to make it easier for other companies to set them up.
A bug bounty pays independent researchers who find and report vulnerabilities that could have a security impact on the system or its users. One of the most common vulnerabilities is the so-called Cross-Site Scripting (XSS) attack, which injects malicious JavaScript code into a user’s browser.
Due to the way JavaScript permeates the web today, this attack can be used to essentially hijack a victim’s account, and Google will pay up to $7,500 for this category of bugs.
Why are bug bounties useful?
Security audits and code reviews are limited both in time and in the number of eyes providing scrutiny. While they are useful to pick the lowest hanging fruit before releasing software to the public, some of the most serious bugs can result from the composition of many subtle design failures.
As a recent example of this, an independent researcher found a major bug in the ProgPoW algorithm despite multiple previous audits.
Recent hacks in decentralized finance, or DeFi, showcase the complexity of these systems. In the first bZX hack, the core of the exploit was a subtle failure to check for proper collateralization in the bZX smart contracts — but flash loans and other platforms provided the necessary tools to extract money through this bug.
Google’s program easily demonstrates that releasing safe code from the get go is nearly impossible. Its vulnerability reward program posted an unprecedented record of $6 million in payouts in 2019 — nine years after launch. During that period, the company had all the tools to perfect its internal security practices, but the complexity of its systems seems to have made that all but impossible.
Bug bounties in crypto
Many companies and projects in crypto will offer generous rewards for critical bugs. DeFi projects Maker, Compound and Aave have maximums of $100,000, $150,000 and $250,000 respectively.
Major exchanges like Kraken, Coinbase and Binance also provide bug bounty programs. Kraken has no explicit maximum, while Coinbase and Binance top out at $50,000 and $10,000, respectively. Not all major exchanges launched such programs — notably Huobi and Bitstamp.
It is worth noting that an advertised maximum payout does not necessarily make the program more attractive, as the sums paid are almost always at the discretion of the company.
Out of 458 reports submitted to Coinbase, the maximum payout was only $20,000, while the average is just $200. This is likely due to low severity of the bugs, but these statistics are important signals to researchers who must decide the platform to focus on. Some of the highest average payouts on Hacker One can be obtained from Monolith, Tron (TRX) and Matic, though the latter just launched its bug bounty program.
Can bug bounties save projects?
Crypto infrastructure poses an ideal target to hackers due to its cash-like properties, as stealing digital money from a bank is much harder.
Hacking “success” stories like Coincheck, where the perpetrators of a $500 million hack were not caught after more than two years, may attract “black hat,” or fully malicious, hackers more than other industries.
According to a ranking of exchange security published by Hacken in 2019, 82% of all exchanges lack any bug bounty programs at all. Of those that do, and that are ranked highly in its list, only Binance suffered a major attack in 2019.
Curiously, both bZX and dForce had bug bounty programs in place before their incidents — but they had notable caveats.
bZX’s program only had a $5,000 maximum payment, and crucially required researchers to submit a proof of identity before collecting the reward. It also appears that it was only published on a Medium post. Following the incident, the project rectified all of the aforementioned issues.
DForce’s program likewise required submitting documents, and while its maximum payout was significant at $50,000, it only covered the USDx stablecoin system — not the Lendf.me platform that ended up being hacked.
While companies are obligated to withhold payment to researchers living in sanctioned regions, very few successful programs require a full identity check to receive money. From the perspective of a bug hunter, submitting identity documents may become a Damocles Sword due to frequent legal reprisals against fully legitimate hackers— thus discouraging them from applying.
Given all of the above, there appears to be a significant correlation between the presence of a fair bug bounty program and the incidence of catastrophic hacks.
Nevertheless, in a conversation with Cointelegraph, Egor Homakov, a well-respected security researcher, warned against “shaming” projects:
“Bounties shouldn't be forced on any project, and the interest should come from within. Every project already comes with a bounty program by default, it's just the bounties are equal [to] $0. I don't think people should shame the programs for higher amounts. This market perfectly self-regulates, and doesn't need any more research rage/demands.”
Judging from incident responses by some of the companies who were hacked, natural selection toward better bug bounties may be already happening.
Recent GOOGL News
- Tesla Listed for China’s Government Vehicles; Macy’s Acquisition Offer Raised, and More News • IH Market News • 07/05/2024 12:13:34 PM
- Apple Joins OpenAI Board, Logitech President Opts Out of Reelection, and More News • IH Market News • 07/03/2024 10:59:39 AM
- Interactive Brokers Loses $48 Million on NYSE, Amazon Achieves Historic Market Value, and More News • IH Market News • 06/27/2024 11:13:41 AM
- Doordash and Deliveroo Terminate Talks; Universal Announces UK Theme Park Plan, and More News • IH Market News • 06/26/2024 11:08:35 AM
- Dow Dips, Nasdaq Gains, Oil Prices Rise • IH Market News • 06/26/2024 11:00:03 AM
- Honeywell Acquires CAES Systems for $1.9 Billion, Sarepta Therapeutics Surges 34%, Gilead Continues Gains • IH Market News • 06/21/2024 12:00:38 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 06/19/2024 12:47:27 AM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 06/18/2024 10:38:19 PM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 06/18/2024 08:47:46 PM
- Goldman Sachs Raises S&P 500 Forecast for 2024; Disney Secures Deadpool & Wolverine in Chinese Cinemas, and More • IH Market News • 06/17/2024 10:49:12 AM
- Adobe Soars 15% Pre-Market; Visa and Mastercard Encounter Hurdles in $30 Billion Agreement, and More • IH Market News • 06/14/2024 11:21:47 AM
- Form 8-K - Current report • Edgar (US Regulatory) • 06/13/2024 08:16:04 PM
- Tesla Surges 5% in Pre-Market; Virgin Galactic Drops 9% Following Reverse Stock Split, and More News • IH Market News • 06/13/2024 11:24:25 AM
- Paramount Ends Skydance Talks, Oracle Shares Surge 8.7% on New Partnerships, and More News • IH Market News • 06/12/2024 11:19:10 AM
- Form 8-K - Current report • Edgar (US Regulatory) • 06/07/2024 09:00:57 PM
- Nvidia Becomes 2nd Most Valuable Company in the USA, ASML Takes 2nd Spot in Europe, and More News • IH Market News • 06/06/2024 11:34:59 AM
- Form 144 - Report of proposed sale of securities • Edgar (US Regulatory) • 06/05/2024 08:23:12 PM
- Form 8-K - Current report • Edgar (US Regulatory) • 06/05/2024 11:56:04 AM
- Apollo Buys 49% of Intel’s Irish Plant for $11bn, BlackRock and Citadel to Create Texas Exchange, and More News • IH Market News • 06/05/2024 11:41:36 AM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 06/03/2024 09:47:17 PM
- DJT Stock Falls 6% Post-Trump Conviction; UBS Restructures Senior Management for CEO Succession and More News • IH Market News • 05/31/2024 11:54:10 AM
- Form 4 - Statement of changes in beneficial ownership of securities • Edgar (US Regulatory) • 05/30/2024 12:42:21 AM
- iPhone Sales Skyrocket in China, Nvidia Surges in Pre-Market Following xAI Fundraising, and More News • IH Market News • 05/28/2024 11:37:48 AM
- Form PX14A6G - Notice of exempt solicitation submitted by non-management • Edgar (US Regulatory) • 05/24/2024 08:06:53 PM
- Workday Shares Drop 12%, VF Corp Divests Assets for Cash Boost, and More • IH Market News • 05/24/2024 12:42:24 PM
Glidelogic Corp. Becomes TikTok Shop Partner, Opening a New Chapter in E-commerce Services • GDLG • Jul 5, 2024 7:09 AM
Freedom Holdings Corporate Update; Announces Management Has Signed Letter of Intent • FHLD • Jul 3, 2024 9:00 AM
EWRC's 21 Moves Gaming Studios Moves to SONY Pictures Studios and Green Lights Development of a Third Upcoming Game • EWRC • Jul 2, 2024 8:00 AM
BNCM and DELEX Healthcare Group Announce Strategic Merger to Drive Expansion and Growth • BNCM • Jul 2, 2024 7:19 AM
NUBURU Announces Upcoming TV Interview Featuring CEO Brian Knaley on Fox Business, Bloomberg TV, and Newsmax TV as Sponsored Programming • BURU • Jul 1, 2024 1:57 PM
Mass Megawatts Announces $220,500 Debt Cancellation Agreement to Improve Financing and Sales of a New Product to be Announced on July 11 • MMMW • Jun 28, 2024 7:30 AM