Crypto is the new bank of the internet, and the new playing ground for hackers looking to access millions from the comfort of their computers. But is it possible to turn a black hat hacker into a white hat hacker? Can companies provide enough incentives to drive crypto innovation and incentivize security efforts? In this article we will explain what bounties are, how they work and the benefits and disadvantages of having them.
What is a bounty
If you are not familiar with bounties, bounties are monetary rewards given to people that perform a series of difficult tasks, whether is the capture of a dangerous individual, providing valuable information of a criminal, or helping the government find a hacker. Security bounties have grown in popularity, especially with the rise of our digital economy.
Crypto bounties became widely popular during the ICO craze in 2017. They serve as a reward mechanism for people that participate in Blockchain projects and help them grow through marketing, developing, and hacking efforts. Bounties gained massive popularity because it was an easy way to recruit crypto talent and pay them in tokens. For many new crypto projects, it was a lot easier to pay salaries in their native token, which they had in abundance, instead of fiat or reputable crypto tokens. While not all crypto bounties are paid in governance tokens, bounties still exist in the gray area of doing business, considering the way they promote their platform and reward participants with unknown tokens. Today, bounties have evolved to more than just marketing, and while some bounties can still be used for ICOs and other dishonest marketing tactics, bounties serve a huge role in incentivizing security in the crypto space.
Security Bug Bounties
Whether hackers choose to disclose vulnerabilities in a white or black hat manner, they are key participants in the crypto ecosystem, and they make valuable contributions to the cyber security space. Security bounties are some of the most popular forms of bounties in the crypto space. They help companies and crypto projects detect vulnerabilities before they are exploited by malicious actors. Most importantly, they create a culture of openness, transparency, and communication, which is missing in the crypto community.
Most Bounties incentivize hackers based on the level of complexity and result of the attack, giving higher reward to attacks that can result in permanent loss. Bounties offer an alternative for ethical hackers that want to grow within the cyber security ecosystem, build their portfolio, and monetize their skill.
Many crypto projects today do not have active security bounty programs, leaving them vulnerable to black hat hacking. Even when projects do have bounties in place, for some hackers it makes more sense to financially exploit crypto vulnerabilities because there are not many rewards that incentivize hackers to do the right thing. Prime example is Poly Network, who did not have a bounty program at the time of their attack, but after being hacked for over 600M, they desperately sought to incentivize the hacker to return funds for a $500,000 reward bounty. If Poly Network had a bounty program to begin with, hackers would have been incentivized to find vulnerabilities early on.
The Cobra Effect
According to psychologists, the Cobra Effect refers to the unintended negative consequences of an incentive that was designed to improve society or an individual well-being. Crypto bounty programs provide many benefits to developers, hackers, and crypto projects, but there are still many challenges associated with securing crypto and conducting great bounty programs, especially in a decentralized manner.
Intentional bugs for exploit: As more projects create bounty programs and reward systems for reporting anomalies, there is also the possibility of intentional bugs introduced by developers for later rug pulls. Therefore, bug bounties should not be seen as a key component of security, instead a supplement for security.
Poor user experience: In a decentralized world, instructions for bounties and detecting vulnerabilities can often be unclear. Hackers might have a challenging time communicating with crypto projects, and even if they do disclose vulnerabilities, there is no legal binding that forces projects to pay bounties to hackers. This might further incentivize hackers to hack in an unethical manner. Finding ways where crypto bounties can be clear, concise, and trustworthy will be key in creating quality bounties and building a network of ethical hackers around them.
Token dumping: Token dumping can occur when bounty recipients immediately sell their tokens for more liquid assets, causing crypto projects to plummet. Projects must find a way where there is a vesting period upon payment, or bounty recipients can get paid in more liquid assets such as Bitcoin and USDT.
At the end of the day, every platform and hacker must weigh the pros and cons of participating in a bug program. It won’t be perfect, but it does add a layer of security to reputable projects. Protocols that lack funding for bounties can still establish a vulnerability disclosure policy, that allows ethical hackers to disclose vulnerabilities and not be persecuted by legal authorities.
From an investor perspective, doing extensive research on the projects you invest in is a must. Valid Data does the research for you, providing you with insights on the security, governance flaws, smart contract vulnerabilities, and credibility of different crypto projects. Having the right data will help you stay ahead of the game by minimizing risks and maximizing opportunities.
Sign up for Valid Data today and receive FREE access to insights of thousands of crypto assets.
Valid Data’s real-time and predictive insights are used by Cryptocurrency traders and exchanges, as well as investors and hedge funds, to make better investment and trading decisions, to protect the value of their digital assets, and to capitalize on market opportunities that only Valid Network’s technology can uncover.