Why blockchain-based products need bug bounty programs in order to survive?

Blockchain technology is gaining more and more traction in the media. International banks, transportation and technology companies are exploring ways to invest into blockchain technology to improve their businesses.

Just look at the CBinsights report :

“Since June 2014, the 10 largest US banks by assets have participated in 9 rounds totaling $267M in disclosed funding to 6 blockchain companies. Between 2014 and 2017 more than 130 companies have raised more or equal to $500 000 through ICO funding.”

BP and Shell are working on an oil trading blockchain platform , Bank of America has already filed 50 blockchain patents , UPS is actively working on adopting blockchain , Facebook and Google are also in the race.

Naturally, as technology evolves, cybersecurity threats pose ever greater risk to blockchain development. According to Reuters and EY report ICO funded projects hit by 100 cyber attacks a month which results in roughly 10% of funds raised being stolen by black hat hackers. In this article, we will explain why bug bounty programs are an effective way to ensure security of blockchain-based products.

Blockchain Security issues

As amounts of information and complexity of business processes grow, companies rely more and more on internet connection for daily operations. This gives hackers multiple opportunities to penetrate companies’ networks and steal valuable data, such as intellectual property, personally identifiable information, financial data, etc.

The use of blockchain, despite all of its benefits, creates a large attack surface that hackers potentially can exploit:

Why Bug Bounty is an effective method of testing blockchain-based products for vulnerabilities?

Traditional penetration testing is not going be effective when testing blockchain products. Sheer variety of attack points and attack surfaces implies that there are lots of things that can go wrong. Even deploying a large team of cybersecurity experts will not be enough.

To test blockchain-based products thoroughly, we need to take this process to another level by using a Bug Bounty Programs .

In essence – bug bounty programs attract third party cybersecurity experts with various backgrounds to test products for monetary rewards.

Bug Bounty Platforms, such as HackenProof help other companies prepare, run and manage Bug Bounty Programs.

But how exactly Bug Bounty Programs compare to traditional penetration testing?

• Skills Bug Bounty Platforms are able to attract hundreds of security researchers with different backgrounds (mobile, web, smart contracts, blockchain) to a single bug bounty initiative. Thus allowing to comprehensively test blockchain products on all layers.
• Compensation Bug bounty compensation system is based on the amount of verified bugs reported by researchers. Which is a significant advantage over pentests compensation system where companies pay for the process only, regardless of the amount of vulnerabilities reported by the cybersecurity researchers.
• Time Last but not least, traditional penetration tests for large projects may take up to 3 months, but even that wouldn’t do the trick, since new technologies emerge all the time. In order to efficiently mitigate this risk – testing have to be continuous . Bug Bounty Programs run for months or even years.

It’s no surprise that a significant number of blockchain-based products run regular bug bounty programs in order to convince potential users/customers that their products are safe:

• Blockchain protocols Ethereum , Dash
• Smart Contracts Neverdie Smart Contract
• Crypto exchanges Kraken , Kuna
• Wallets Copay Wallet , VeChainThor Wallet

Сrowdsourced security approach is the most efficient method of testing blockchain-based products, hence bug bounty programs will continue to be an integral part of the blockchain evolution.