What we are going to explore are the advantages of bug bounty programs in general. Now, remember, this is not about bug bounty programs in just crypto or companies having ICO’s, it is about bug bounty programs in general.
What Are the Advantages of Bug Bounty Programs?
So, before we begin, let’s get into what a bug bounty program is. It is basically a deal or an arrangement made by a company, which allows an individual to exploit potential vulnerabilities in their system. The reason why they do that is to recognize these issues before the general public does, preventing widespread misuse.
Traditional Penetration Testing
Before bug bounty programs became widespread many companies used to do (and still do) traditional penetration testing, or as it is more colloquially called, “pen tests”. So, what exactly are pen tests?
According to Wikipedia, Penetration tests “are an authorized simulated attack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.”
Now, how is it any different from Bug Bounties?
It really isn’t, at least by definition. However, the difference comes in the approach that pen tests take as opposed to bug bounties. In fact, let’s list some of those problems out (shoutout to GBHackers.)
- The number of people involved with pen tests is extremely lower than the number involved with bug bounty programs. This is the reason why this tends to take a longer time than big bounty programs.
- Since the number of testers is so limited, the testing scenarios and vulnerability checks are extremely limited as well.
- Pen testers get paid in an “effort employed” model. Now, what does that mean? They get paid to come up with the sheer quantity of possible vulnerabilities within the system. However, the problem with this approach is that a smart hacker will not use the most obvious route to hack a system. If the testers were incentivized to choose a “quality first” approach, then that would be much more helpful.
- Pen testers usually do not work in a competitive atmosphere, which may dull the results of their work.
Finally, to quote Peter Whitfield, the engineering doctor of Bigcommerce, “We have found that different penetration testers find different problems, sometimes problems that have been there for several years and missed in previous tests. With the bug bounty program, we got a hundred and twenty pairs of eyeballs on our system for a week instead of just one or two pairs for a week.”
How does Bug Bounty Rectify This?
While the idea of Bug Bounty programs is pretty similar to traditional penetration, however, the approach of it is the polar opposite. If you were to compare it to writing, then think of bug bounty as a competition where a lot of writers come together to compete against each other and then the writers with the best essays win the price.
Let’s find out what all advantages bug bounty programs have.
- While the pen tests employ a very limited number of testers, in bug bounty programs, lots of people can take part with extremely diverse skill sets.
- Since there are so many testers coming from a lot of different fields, the testing scenarios, and vulnerability checks tends to be very diverse and sophisticated as well.
- Bug bounty hunters get paid in a result-oriented model. This is the reason why the quality of the bugs that the hunters find are usually of a much higher quality, i.e., the kind of bugs that most smart hackers will exploit.
- Since the whole idea of a bounty program is a competition, the atmosphere is far more competitive, which incentivizes the hunters to give their all.
Common Misconceptions about Bounty Programs
Many companies are not that keen on open bug bounty programs because they think that it is risky. The truth of the matter is; bug bounty programs are just as risky as any other security assessment program. As long as they are run properly, they shouldn’t face any problems.
This is why, as with anything, companies should make a plan to do risk mitigation in bounty programs.
(Note: We want to thank bugcrowd for the content. )
If you belong to a company which feels a little apprehensive about utilizing bounty programs, then this section is for you. We are going to go through some risks of the program and then we will tell you what you can do to mitigate it.
#1 Target on Your Back
First and foremost, the very idea of a company getting lots of programmers poking around on your backend may seem like a recipe for disaster. However, this is where you should definitely do a mindset change. You must understand that the risk of being vulnerable to potential hackers far outweighs the risk associated with running a bug bounty program.
This is why it makes sense to have a well-bred community from where you can take your bounty hunters. Simple bugs and oversights have destroyed companies/projects which could have been potentially revolutionary.
Remember the DAO hack? Keep that in mind because we will talk about it later.
#2 Budget Issues
A big issue that most companies face when issuing bug bounty programs is budgeting. They feel that having a wide an open bug bounty program will put a lot of strain on their budget. As bugcrowd states, this can be mitigated by running a “small–private, on-demand or Kudos only–program and throttle your incentives throughout the lifetime of your program.”
Clearly, state the goal of the bounty program and you don’t need to suffer through sleepless nights.
#3 Unauthorized Disclosure:
Another apprehension that companies have is the unneeded unauthorized disclosure that they may have to suffer because of rogue bounty hunters. This risk can be mitigated via clear articulation and contracts. Most of the problems that you may face in this category can be quickly mitigated without conflict.
The Need for Bug Bounty Programs in Crypto
There is a humongous need for bug bounty programs in Crypto because:
- This is a very new field so chances of mistakes in the smart contract are pretty high.
- The amount of money that could potentially be lost is huge.
In fact, remember the DAO hack that we were talking about? It is a perfect example of a potentially great project causing chaos in the ecosystem and losing millions of dollars because of an overlooked bug.
The DAO aka the Decentralized Autonomous Organization, is a complex smart contract which was going to revolutionize Ethereum forever. It was basically going to be a decentralized venture capital fund which was going to fund all future DAPPS made in the eco-system. The way it worked was pretty straightforward. If you wanted to have any say in the direction DAPPS that would get funded, then you would have to buy “DAO Tokens” for a certain amount of Ether. The DAO tokens were indicators that you are now officially part of the DAO system.
So, how were DAPPS going to get approved and built? Well, firstly they need to get whitelisted by the curators, who were basically known figureheads in the Ethereum world. After getting their stamp of approval they will vote on by the DAO token holders. If the proposal gets a 20% approval in the vote, then they will get the required funds to get started.
The potential of the DAO and the flexibility, control and complete transparency that it offered was unprecedented, people leaped in to get their share of the pie. Within 28 days of its formation, it accumulated over $150 million worth of ether in a crowdsale. At that time, it had 14% of all ether tokens issued to date.
You might be wondering, that’s all good but how does one go out of the DAO. What if some DAPP gets approved that you are not a huge fan of, how do you opt out of the DAO then? To enable this an exit door was created called the “Split Function”. Using this function, you would get back the ether you have invested and, if you so desired, you could even create your own “Child DAO”. In fact, you could split off with multiple DAO token holders and create your own Child DAO and start accepting proposals for her.
There was one condition in the contract, however, after splitting off from the DAO you will have to hold on to your ether for 28 days before you could spend. So everything looks nice and spiffy for now….except, there was one little problem. A lot of people saw this possible loophole and pointed it out. The DAO creators assured that this was not going to be a big issue. The only thing is, it was and that created the entire storm that split Ethereum into Ethereum and Ethereum Classic.
The DAO Attack
On 17th June 2016, someone exploited this very loophole in the DAO and siphoned away one-third of the DAO’s funds. That’s around $50 million dollars. The loophole that the hacker(s) discovered was pretty straightforward in the hindsight.
If one wished to exit the DAO then they can do so by sending in a request. The splitting function will then follow the following two steps:
- Give the user back his/her Ether in exchange for their DAO tokens.
- Register the transaction in the ledger and update the internal token balance.
What the hacker did was they made a recursive function in the request so this is how the splitting function went:
- Take the DAO tokens from the user and give them the Ether requested.
- Before they could register the transaction the recursive function made the code go back and transfer even more Ether for the same DAO tokens.
This went on and on until $50 million worth of Ether were taken out and stored in a Child DAO and as you would expect, pandemonium went through the entire Ethereum community as the price of ether plummeted drastically.
The DAO incident is a perfect example of what happens when bugs are overlooked. The sheer amount of money that was lost is staggering, and the really sad part is that this could’ve been prevented. We hope that this article impresses upon you the importance of bug bounty programs.