A Bug bounty program is when hackers are called upon to identify bugs for a fee, recognition or both. The incentive, in this case, could be financial compensation or cash gifted by the firm for their “hawk-eyes” dissection of the code. Once these flaws are identified, they are rectified.
Nonetheless, challenges faced by hunters are many. From dumps-more so if there are many competitors drawn by higher awards, long vesting period and sometimes not being listened to, willing participants ought to be protected and paid as quickly as possible.
Often, a high-rated project may have a meticulous program but do not live up to their advertised expectations. Hunters, walled off by unresponsive team, as a result, bail out. However, that’s before labelling the project as a lying scam and broadcasting their grievances all over the media.
Unfortunately, few platforms offer practical solutions to talented bounty hunters. But there is hope. Participation in bounties of even high-rated projects usually allows earning a miserable profit to a hunter because of huge price dump and too long reward waiting time. But the service provided by Tokpie exchange solves this problem.
Tokpie provides a marketplace for bounty hunters where they can deposit, sell and buy bounty stakes for Ethereum like any other altcoins. So, instead of long-time waiting for an uncertain reward nominated in bounty tokens, hunters can get ETH immediately. Moreover, hunters can take Ethereum upfront, by selling bounty stakes which had not been earned yet.
A Trail of Damages
Black hat hackers are often labelled as thieves. Their actions conjure bad memories and Binance is the latest high-profile victim. They struck and stole over $40 million worth of BTC. Wounded, the blockchain community is actively searching for a long-term solution. Luckily, they are not short of ideas.
For example, a campaign advocating for decentralized exchanges (DEXs) is active. Others are calling for peer-to-peer trading. That could explain the rise of peer-to-peer options with crypto binary trading offered by Bulls Vs Bears being an example. In a P2P arrangement, exchanges have no control of a client’s funds. The settlement is done on the blockchain and operations are controlled by smart contracts that guarantee reliability and transparency.
White hat hackers counter the actions of black hats. These are well-intentioned cybersecurity experts, or in simple terms, hackers who do penetration tests for a fee. By identifying weaknesses in an organization’s code or architecture, these individuals or groups are rewarded through bug bounty programs.
The Skew: Bounties Favor Projects, not Hunters
Given, bounty programs are precautionary considering reputational damage bugs can inflict if there is exploitation.
In 2018, EOSIO and Block One, the publishers of the EOSIO platform, announced a bounty program. Within a day, several flaws had been identified by one talented Dutch ethical hacker, Guido Vranken. In that week alone, he racked in $120k after pointing out 11 security vulnerabilities. For his ability, it was reported that Block One allegedly offered him a job. Gifted, Guido has taken part in similar programs at Ripple, Ethereum and Stellar.
He’s what he said:
“The EOS people appreciate my efforts. Reported bugs were quickly analyzed and fixed in their public repository. At first, the process was very ad hoc because [EOS CTO] Daniel Larimer and I were sending files back and forth on Telegram, but they’ve since started to run a bug bounty program on Hacker One which I think is in the best interest of both bug finders and the EOS team.”
Evidently, working in a top tier bounty campaign pays. However, it should be noted that bounty programs are helpful for projects for several reasons. Benefits are near self-explanatory from the firm’s point of view as they issue incentives.
Advantages to the Firm
EOS, for example, had raised $4 billion in their yearlong ICO and had money to offer for hunters willing to nitpick their code. Not to make assumptions, these are the advantages of a bug bounty program.
First, the more bugs are found and fixed, the wider applicants would be. Note that bounty programs are usually open and applicants/participants are diverse and often global. Second, the earlier they are announced, the more likely that kinks will be identified on time and straightened. Third, the more open they are-the higher the reward, the better, the more the participants. That alone is where checking becomes rigorous. The more vigorous it is, the lower the likelihood of bugs slipping out unnoticed. Last, whenever there are bounties, the developing team can (but not always because of management demands) spend their time working on other projects as the code is combed.
Facebook’s Libra Association plans to roll-out their Libra coin sometimes in 2020 despite regulatory headwinds. As they prepare, they have a bounty program in place. Any hunter that identifies a systemic bug whose exploitation would expose the network and slow down the association’s progress will be rewarded $10,000.
To cap this up
Before viable options are implemented, patience is paramount. Before then, it should be realized that bug hunting is not about competition. If it was, new bug hunters wouldn’t be interested and won’t have the incentive to stick around for long. Aligning with the spirit of blockchain, bounty programs are communal and thrives on cooperation.