08 March 2018

Blockchain, Bug Bounties and Björk

Rajesh Krishnan

Two days ago, the US Securities and Exchange Commission clarified their position on cryptocurrencies, a hot topic in the investment world. It is also one that seems to get more heated with each rise and fall in their value. In the SEC’s announcement, they mandated that all coin exchanges must register as an Alternative Trading System. Take a look at who’s currently on the list, and you won’t find it stacked with cryptocurrency exchanges. They aren’t anxious to be regulated while growing and establishing a brand.

Since the core of any exchange’s brand is security, is it any wonder that blockchain technologies (and related companies) have started announcing bug bounties in droves? There are a variety of reasons to explain this new trend:

  • Blockchain’s poster child—cryptocurrencies—are on fuego due to increased interest and transaction ease. With roller coaster level fluctuations, there is about $400 billion in “circulation”, per https://coinmarketcap.com/ in early March 2018, among the Top 100. About 40% of that is Bitcoin.
  • Blockchain companies that enable cryptocurrencies, such as wallets and exchanges, add to the ecosystem. New technology and terms are added regularly, such as uncles, oracles, and smart contracts.
  • All of these companies’ defenses get tested regularly by the usual gamut of security researchers with hats from white to black. Very regularly.
  • Companies are easily raising money via ICOs, or Initial Coin Offerings. Even Forbes has advice on it. Though there are pitfalls announced daily.
  • Björk is in on it.

Bug bounties are commissions paid out to motivate ethical security researchers to find and report security vulnerabilities. Synack offers bug bounties to motivate our highly qualified team of crowdsourced ethical hackers, among other techniques such as holding contests, award events, and ever-changing cool swag.

In a category that touts its resilient security characteristics, many companies have hit upon bug bounties in an attempt to send a message that their security bona fides are strong. Among cryptocurrencies alone, six of the top ten – have announced bug bounty programs in the last year. However, sending a message is sometimes just a good publicity stunt; it’s much more difficult to back it up with actual security.

As a user of these blockchain technologies, you should make informed decisions about how the business is secured. Bug bounties are one part of securing a business, just as blockchain is one technology for assist in exchanging value. Giving security researchers and companies the ability to increase security together takes a combination of technology, services, and motivation methods. With that in mind, here are three questions that can inform your cryptocurrency company evaluation process.

  1. Are the researchers good? Many of the best security researchers who participate in bug bounty programs do so for learning and fun… but cash is king. Among cryptocurrencies, the ones that offer cash and not cryptocurrency only may be more able to attract the quality researchers. TenX’s bug bounty pays in real dollars, with respectable amounts listed. That’s a good sign. Synack’s approach to researcher quality is to only work with the best, test them ourselves, and pay them very well.
  2. Is the program active?Active programs are more likely to find severe vulnerabilities that security teams crave. When researchers spend more time on a target, they are educating themselves on how to deliver better and better vulnerabilities.To avoid program inactivity, constant program attention can encourage researcher engagement. At Synack, our Mission Ops team constantly communicates with the Synack Red Team, changes reward schemes, and pays out lightning-fast bounties to encourage continued hacking. Synack measures actual hacking activity through our LaunchPoint(™) platform to get a true understanding rather than wait for results to come in.Absent that data, look for secondary signs of bug bounty programs having real activity. For example, here’s Kraken’s Bug Bounty Program. Their Hall of Fame should be increasing regularly over time regardless if the vulnerabilities are publicized or not (and they probably won’t be, for security).
  3. Blockchain <> Security <> Bug Bounty. The fundamental blockchain concept and technology is too young to be universally deemed capital-S Secure. Let’s give it the benefit of the doubt and say it’s looking more like Diffie-Hellman than ROT13 on the spectrum of “secure”. While your preferred technology’s blockchain itself may be secure, the overall product offering may not be. There are the normal web portal and payment technologies that are completely separate from blockchain. Again cryptocurrencies are illustrative of the issues faced by blockchain companies overall. Cryptocurrency attacks of note are usually pretty simple—clipboard modifier, anyone? Hacker-powered security is one technique to enhance security, but look for others, such as a strong security culture, good code, regular monitoring, and a host of other processes.

It’s still early days for blockchain and bug bounties. About $7 billion in Bitcoin is traded in a day, compared to $5 trillion in analog currencies (Source: Bank for International Settlements). As the 1000:1 gap narrows with increased trading, so will the motivation for all researchers to find security holes. Kudos to the companies – including our clients – that are already working with ethical researchers in a holistic, full-service fashion that respects their generous contributions to your success.


Rajesh F. Krishnan