Testing an army of hackers may help improve the security of cryptosystems, but isn’t that enough already?

Veröffentlicht von

In the last decade, piracy gradually became a respectable and potentially rewarding career thanks to the introduction of error rewards.

While some organizations like Mozilla launched error rewards in 2004, the biggest boost to the industry came when Google and Facebook launched similar programs in 2010 and 2011, respectively. Soon after, in 2011 and 2012, platforms like Bugcrowd and HackerOne marketed the rewards for errors to make it easier for other companies to set them up.

The error reward pays independent researchers who find and report vulnerabilities that could impact the security of the system or its users. One of the most common vulnerabilities is the so-called Cross-Site Scripting (XSS) attack, which injects malicious JavaScript code into a user’s browser.

Because of the way JavaScript permeates the web today, this attack can essentially be used to hijack a victim’s account, and Google will pay up to $7,500 for this category of errors.

Recent Data Hacking Could Put Millions of Dollars at Risk in Bitcoin
Why are error rewards useful?

s are limited in both time and the number of eyes that provide scrutiny. While they are useful for detecting „every last rotten fruit“ before releasing the software to the public, some of the more serious errors could be the result of the composition of many subtle design flaws.

As a recent example of this, an independent researcher found a major error in the ProgPoW algorithm despite multiple previous audits.

Recent hacks in decentralized finance, or DeFi, show the complexity of these systems. In the first bZX hack, the core of the vulnerability was a subtle failure to verify adequate collateral in bZX’s smart contracts, but flash loans and other platforms provided the tools needed to extract money through this error.

The Google rewards program easily demonstrates that releasing secure code from the beginning is almost impossible. Its error-reward program recorded an unprecedented record of $6 million in payments in 2019, nine years after the launch. During that period, the company had all the tools to perfect its internal security practices, but the complexity of its systems seems to have made this almost impossible.

A group of hackers exploited vulnerabilities in SQL Server to undermine crypto currencies

Rewards for crypt errors
Many companies and crypto projects will offer generous rewards for critical errors. DeFi Maker, Compound and Aave projects have maximum rewards of $100,000, $150,000 and $250,000 respectively.

Major exchanges such as Kraken, Coinbase and also offer error reward programs. Kraken has no explicit maximum, while Coinbase and Binance exceed $50,000 and $10,000, respectively. Not all major exchanges launched such programs, especially Huobi and Bitstamp.

It is worth noting that the advertised maximum payment does not necessarily make the program more attractive, as the amounts paid are almost always at the discretion of the company.

Of the 458 reports sent to Coinbase, the maximum payment was only $20,000, while the average is only $200. Some of the highest average payouts in Hacker One can be obtained from Monolith, Tron (TRX) and Matic, although the latter has just launched its error reward program.

Kommentar hinterlassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert