Bug bounties have emerged as one of the key ways for companies to prevent catastrophic hacks.
In the past decade, hacking gradually became a respectable and potentially rewarding career thanks to the introduction of bug bounties.
While some organizations like Mozilla launched bug bounties all the way back in 2004, major impetus to the industry came when Google and Facebook rolled out similar programs in 2010 and 2011, respectively. Soon after, in 2011 and 2012, platforms like Bugcrowd and HackerOne commercialized bug bounties to make it easier for other companies to set them up.
Why are bug bounties useful?
Security audits and code reviews are limited both in time and in the number of eyes providing scrutiny. While they are useful to pick the lowest hanging fruit before releasing software to the public, some of the most serious bugs can result from the composition of many subtle design failures.
As a recent example of this, an independent researcher found a major bug in the ProgPoW algorithm despite multiple previous audits.
Recent hacks in decentralized finance, or DeFi, showcase the complexity of these systems. In the first bZX hack, the core of the exploit was a subtle failure to check for proper collateralization in the bZX smart contracts — but flash loans and other platforms provided the necessary tools to extract money through this bug.
Google’s program easily demonstrates that releasing safe code from the get go is nearly impossible. Its vulnerability reward program posted an unprecedented record of $6 million in payouts in 2019 — nine years after launch. During that period, the company had all the tools to perfect its internal security practices, but the complexity of its systems seems to have made that all but impossible.
Bug bounties in crypto
Many companies and projects in crypto will offer generous rewards for critical bugs. DeFi projects Maker, Compound and Aave have maximums of $100,000, $150,000 and $250,000 respectively.
Major exchanges like Kraken, Coinbase and Binance also provide bug bounty programs. Kraken has no explicit maximum, while Coinbase and Binance top out at $50,000 and $10,000, respectively. Not all major exchanges launched such programs — notably Huobi and Bitstamp.
It is worth noting that an advertised maximum payout does not necessarily make the program more attractive, as the sums paid are almost always at the discretion of the company.
Out of 458 reports submitted to Coinbase, the maximum payout was only $20,000, while the average is just $200. This is likely due to low severity of the bugs, but these statistics are important signals to researchers who must decide the platform to focus on. Some of the highest average payouts on Hacker One can be obtained from Monolith, Tron (TRX) and Matic, though the latter just launched its bug bounty program.
Can bug bounties save projects?
Hacking “success” stories like Coincheck, where the perpetrators of a $500 million hack were not caught after more than two years, may attract “black hat,” or fully malicious, hackers more than other industries.
According to a ranking of exchange security published by Hacken in 2019, 82% of all exchanges lack any bug bounty programs at all. Of those that do, and that are ranked highly in its list, only Binance suffered a major attack in 2019.
Curiously, both bZX and dForce had bug bounty programs in place before their incidents — but they had notable caveats.
bZX’s program only had a $5,000 maximum payment, and crucially required researchers to submit a proof of identity before collecting the reward. It also appears that it was only published on a Medium post. Following the incident, the project rectified all of the aforementioned issues.
DForce’s program likewise required submitting documents, and while its maximum payout was significant at $50,000, it only covered the USDx stablecoin system — not the Lendf.me platform that ended up being hacked.
While companies are obligated to withhold payment to researchers living in sanctioned regions, very few successful programs require a full identity check to receive money. From the perspective of a bug hunter, submitting identity documents may become a Damocles Sword due to frequent legal reprisals against fully legitimate hackers — thus discouraging them from applying.
Given all of the above, there appears to be a significant correlation between the presence of a fair bug bounty program and the incidence of catastrophic hacks.
Nevertheless, in a conversation with Cointelegraph, Egor Homakov, a well-respected security researcher, warned against “shaming” projects:
“Bounties shouldn’t be forced on any project, and the interest should come from within. Every project already comes with a bounty program by default, it’s just the bounties are equal [to] $0. I don’t think people should shame the programs for higher amounts. This market perfectly self-regulates, and doesn’t need any more research rage/demands.”
Judging from incident responses by some of the companies who were hacked, natural selection toward better bug bounties may be already happening.