Hacker bounties: Who are the biggest spenders, why companies need them, and are they really needed?
Crypto companies often find out the hard way that hackers know their security systems better than they do. As hacks in the crypto world can and often do result in hundreds of millions of dollars worth of tokens being stolen, the fate of a company’s future can often ride on its security measures. In an effort to batten down the hatches, companies offer bug bounties.
These bounties are essentially competitions in which hackers are encouraged to try to compromise software. The hackers then submit a vulnerability report to the respective companies so that they are able to patch the bugs before they are exploited. As a reward, successful hackers are paid a bounty.
Most companies offer bounties on a staggered scale, with the reward price corresponding to the severity of the bug. Bounties start from around $50 to $100 for low-level fixes and are usually capped at around $10,000 for critical bugs. In a few rare cases, hackers have been awarded more.
Katie Moussouris, founder and CEO of Luta Security, who launched both Microsoft and the Pentagon’s first bug bounties, explained to Cointelegraph how the bug reward schemes can be of use:
“Bug bounties are most useful and efficient as a supplement to proactive security activities focused on preventing and detecting vulnerabilities inside organizations first. Once organizations have established good security practices, bug bounties can help identify security bugs that organizations missed. Bug bounties on their own aren’t enough.”
Most companies that develop software have bug bounties. In the crypto world, the need for such programs is equally important, regardless of company size. According to a report conducted by HackerOne, companies paid out $878,000 in bug bounties in 2018. Guido Vranken, a Dutch researcher who received a $120,000 payout from EOS after discovering 12 bugs within seven days, told Cointelegraph that the stakes are high for crypto companies:
“For a global digital currency there’s arguably a lot more at stake than many other projects or websites. Theft of assets is the most tangible example, but due the synergy between publicity and exchange rates, net losses might also result from a widely publicized vulnerability.”
One of the most recent bug bounties comes from the global messaging app Telegram. Announced on its Telegram Contests channel on Sept. 24, the company is calling for developers to exploit the TON blockchain and submit a vulnerability report.
If hackers can exploit a bug in the TON blockchain to the extent that they are able to steal funds from the wallet of another user, Telegram will pay out up to $200,000, a sum that matches Augur’s critical issue bounty as one of the largest rewards in crypto history. The contest is taking place against the backdrop of the hotly anticipated launch of Telegram’s native digital token, Gram, in late October.
EOS takes the top spot
Although it’s tempting to think that smaller, newer companies may be the most active in providing bug bounties, Block.one, the company behind EOS, took the top spot in 2018 for bounty rewards with $534,500, paying out 60% of all bounties that year, according to a report.
According to the EOS profile on HackerOne, the company will pay a maximum of $1,000 for a low-risk report and a maximum of $10,000 for a critical report. The profile also notes that the final amount is always decided at the discretion of a reward panel, with higher rewards given to exceptional vulnerabilities.
Following the launch of the EOS bounty program in May 2018, Vranken explained how the company had tightened up its approach to security in the wake of his discoveries:
“Reported bugs were quickly analyzed and fixed in their public repository. At first the process was very ad-hoc because [EOS CTO] Daniel Larimer and I were sending files back and forth on Telegram, but they’ve since started to run a bug bounty program on HackerOne which I think is in the best interest of both bug finders and the EOS team.”
EOS has continued to pay out rewards to hackers in 2019, handing out bug bounties for five critical vulnerabilities so far. On Jan. 10, EOS awarded a total of $40,750 to five white hat hackers through HackerOne, with another researcher receiving a further $10,000 bounty.
Coinbase is the second-biggest spender
One of the world’s largest cryptocurrency exchanges, Coinbase, is the second-largest spender on bounties, allocating a total of $290,381 in 2018. The company has experienced a number of high-profile issues since experiencing a significant increase of users in mid-2017, resulting in delayed or missing funds as well as service blackouts.
The company gave out a further $30,000 in rewards in February 2019 for reporting a critical bug, according to Coinbase’s vulnerability disclosure program. At the time, the bug earned the largest-ever reward on the platform, although the details of the bug were not made public. Coinbase operates a four-tier bounty program in which it will pay $200 for a low-risk case, $2,000 for a midlevel issue and up to $50,000 for critical bugs.
According to Coinbase’s HackerOne profile, a critical impact exploitation comprises a situation in which attackers “can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.”
The company also laid out its guidelines for assessing low-impact issues: “Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of system.”
With regard to fixing reported issues, the company has a history of being slow on the uptake. After a Dutch company discovered a smart-contract glitch that allowed users to steal “as much as they want” in Ethereum (ETH), Coinbase reportedly took a month to fix it. Coinbase paid out a $10,000 reward to the company behind the discovery.
Tron comes in third
The Tron Foundation, which is behind the TRX coin, was the third-largest spender on bug bounties, totalling $78,800 for 15 reports. As of now, the company has paid a total of $85,400 in bounties, with its highest, at $10,000, going to HackerOne user nu11pe for an undisclosed report.
The company’s bounty program will pay $100 for a low-risk vulnerability, $3,000 for medium-risk, $6,000 for high-risk and up to $10,000 for critical issues. Tron’s HackerOne profile describes critical faults as “bugs which can take control of java-tron nodes by remote execution of any code,” as well as those that can cause private key leakage.
In May, the company disclosed a critical vulnerability that could have brought down its blockchain. The announcement on HackerOne states that an attacker could have engulfed all available memory though a distributed denial of service, or DDoS, attack on the TRX network by implementing malicious code in a smart contract.
The company added that one individual could carry out the DDoS attack using a single machine to attack all or 51% of the senior node, thereby rendering the network unusable. Although the bug was reported on Jan. 14, it was only publicly announced after it had already been fixed. The researcher behind the vulnerability was awarded $1,500.
Bug bounties are not a perfect system
While bug bounty programs clearly create a healthy environment in which companies reward ethical hacks on their systems, the concept is not without its critics. Most recently, prominent crypto figure Dovey Wan criticized Telegram’s decision to open up development on its smart contract. Wan appeared to criticize the event as an example of the company failing to reinvest in its software development processes, saying:
“Sorry but a project raised over a billion, with over 500mm users can’t even properly make a reasonable block explorer? I have to doubt what’s the priority level of this TON network within Telegram’s team and how they will use their mega treasure on crypto-related stuff.”
Luta Security CEO Katie Moussouris told Cointelegraph that although bug bounties are effective for pointing out important loopholes in existing security structures, they are no replacement for having a dedicated security process in place:
“Companies can’t use bug bounties as a cheap alternative for due diligence in security. Simply asking strangers to point out flaws without having the capacity to fix them is one way overusing bug bounties can quickly overwhelm organizations.”
Vranken outlined his view to Cointelegraph that, based on his experience as a researcher, a crypto company with a bug bounty program indicates that the company can be trusted:
“I’d sooner trust a cryptocurrency project that has a properly operating bounty program in place than one that doesn’t. This stance is shaped by my experience as a researcher and my awareness of the fact that even widely used software is not necessarily undergirded by serious scrutiny of its code without a proper incentive.”
Vranken went on to add that it is extremely difficult to build software without bugs, no matter the level of talent or amount of money put forward:
“If nothing else, a bug bounty program establishes a formal channel for reporting bugs and signals non-hostility towards researchers by vowing to appreciate their work (through financial compensation).”
The current bug bounty system relies on hackers acting responsibly, either out of moral inclination or by the rewards offered. While it may seem feasible that hackers could hold out for more money than advertised in the scheme or sell details of the flaw to competitors, Moussouris said that the demand for such information is not as high as many perceive:
“There are not infinite bug buyers waiting to buy up every bug — that’s a common myth. However, in cryptocurrency, there are likely more buyers for bugs than in other areas. That being said, if bug hunters prioritize profits, they may very well choose to exploit rather than sell the bugs they find in cryptocurrency, for more direct profit.”
Although the rewards advertised by both cryptocurrency and software companies around the world may give the impression that bug bounty hunting can offer a lucrative career, the reality is that competition is high and access is not evenly divided. Moussouris explained to Cointelegraph that those who are invited to private bug bounties often have a competitive edge:
“It is usually a lot of work that goes uncompensated, especially if the types of bugs the hunter knows how to find are relatively common classes of bugs. Only the first person to report a particular vulnerability gets paid, so bug bounty hunters who are the most successful tend to be the ones who are invited to private bug bounties with fewer competitors.”
For Vranken, bug bounty hunting is a mixed bag, as the reward does not always match up to the time put into a project:
“Compared to contractual work which stipulates effort and reward in advance, bug bounties can be elating (when you come upon a trove of bugs that gets rewarded profoundly) or frustrating (spending a lot of time on something without achieving results, or receiving a lower reward than you expected).”