Ethereum Bug Bounties

For those who may confuse the term ‘bug bounty’ with an insect hunt, according to Wikipedia:

“A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.” 

Bug bounty programs have become more commonplace in the internet industry since Netscape launched the first of its kind in 1995 for its Netscape 2.0 browser. While in the beta phase, Netscape sought out hackers, programmers, and anyone with the technical skill to seek out vulnerabilities, including backdoors to their software, in exchange for cash.

Fast forward to the present and we discover that current bug bounty programs launched by major companies like Uber, Facebook, and Snapchat are similar to the bug bounty created by Netscape. One big difference, however, is that many of these bounties now offer payments in the form of a cryptocurrency, such as Bitcoin (BTC) and Ether (ETH), in addition to fiat currency. With the value of incentives ranging from a few dollars per bug discovered for small startup bounties to hundreds of thousands of dollars for bugs found in Google and Apple programs. Bug bounties have become a standard for tech companies looking to test the security of their applications while strengthening the overall code infrastructure.

Ethereum’s own bug bounty program has run continuously since early 2015 and has helped secure the network and Proof of Work (POW) algorithms.

Ethereum’s bug bounty site states:

“Ethereum has a clear goal: delivering stable protocols and secure software. We call on our community and all bug bounty hunters to help us deliver flawless protocols and clients. Earn cold hard cash for finding a vulnerability and get a place on our leaderboard.”

One of the leading bug bounty platforms is HackerOne, a San Francisco-based company founded by Facebook, Microsoft, and Google security experts. Using HackerOne’s simple interface, clients can set up a bug bounty project that defines their needs, rules, and incentives. HackerOne serves as an intermediary between companies and hackers (also called security ‘researchers’ or ‘finders’) that customizes and assigns appropriate hackers based on the specific needs of a project. Users on the platform are also free to invite other hackers to submit vulnerability reports. HackerOne supports bug bounty programs on and off the blockchain and even hosts an annual hackathon event in Las Vegas where hackers from across the globe seek out ‘bugs’ in real-time before a live audience.

On the other side of the spectrum, there is a decentralized bug bounty program that exists purely on smart contract technology. Glass Hunt is an anonymous organization that’s considered a playground for developers and interested individuals who wish to hack the blockchain technology in order to help it grow. 

A new Ethereum-based automated bug bounty framework for Ethereum smart contracts, “Put Your Money Where Your Contract Is,” created by Ron Meron, is a proposed mechanism that allows high-stake contract authors to create a trustless, Ethereum-based bug bounty. This bounty is created after the high-stake contract is published, but before the contract is put into action. Simply put, bug bounties are enacted before the contract goes into full effect.

For blockchain networks like Ethereum, crowdsourced bug bounties provide a much-needed service to address the security of smart contracts and fairness as a whole. Bounties incentivize outside sources to fix issues that may cause Ether theft and correct game-theory probability models for online gambling platforms that employ random-number generation. As more bug vulnerabilities are discovered by bug bounty hunters, the blockchain ecosystem can only become stronger and more secure.