Bug Bounty Programs and Crypto Bounty Campaign | Gemini
A bug bounty program utilizes ethical programmers who work to bolster platform security and detect vulnerabilities before malicious hackers find them.
Technology is an essential part of our everyday lives, and our personal data has become a valuable commodity as companies seek to learn more about their customers. Unfortunately, this information is a prime target for hackers who seek to use this information for nefarious purposes. Staying one step ahead of these “black hat” hackers requires a substantial investment in cybersecurity — which is where bounty programs can help. Traditional bug bounty programs often utilize a crowdsourced model to mobilize a global team of talented “white hat” hackers or developers who preemptively test for platform vulnerabilities. Crypto bounty programs build on this concept but utilize blockchain technology to improve program accessibility, automate payments, generate broader interest, and even disseminate native coins and tokens.
What’s a Bug Bounty Program?
Although modern technology has become critical to our everyday lives, there are risks associated with its rapid evolution. As personal data collection accelerates, centralized servers and data repositories have become prime targets for hackers. On what seems like a monthly basis, large corporations and government departments announce the hacking of personal information.
In response to these concerns, data security has had to become increasingly central to business processes — which is where bounty programs come into play. These programs aim to leverage the talents of “white hat” hackers who work ethically to enhance platform security, as opposed to “black hat” hackers who aim to benefit from exploiting vulnerabilities.
Despite the negative connotation of the term “hacker,” many companies have come to realize the benefits of working with white hat hackers. These highly specialized individuals are a crucial resource when identifying potential weaknesses and security threats. Navigating today’s complex cybersecurity ecosystem is unrelenting, which makes bug bounty programs (BBPs) — also known as hack bounty programs — more essential than ever.
Traditional Bug Bounty Programs
Although many companies use in-house bug bounty programs, crowdsourced security platforms dominate the market. These platforms give companies access to a global pool of pre-vetted developers or hackers, allowing them to outsource the task of searching for application vulnerabilities and correcting glitches. As a result, project teams can focus on development, saving time and money.
-
HackerOne offers clients a vulnerability disclosure program (VDP) and a bug bounty program. These programs are staffed with “hackers” who operate as software developers. Clients can select the hackers they want to work with and screen them further when deciding to conduct a public or private program. As an intermediary, HackerOne is responsible for hiring, skill-set validation, and ongoing management.
-
Bugcrowd is a crowdsourced bug bounty platform that offers penetration testing, bug bounties, vulnerability disclosure, and attack service management services. As is the case with HackerOne, Bugcrowd clients can use private or public services on a continuous or on-demand basis without having to vet candidates themselves.
What is a Crypto Bounty Program?
In line with the ethos of decentralization, crypto bounty campaigns operate with minimal intermediary involvement. Platforms like Gitcoin and Bounty0x bring hackers and companies together in an environment where work agreements are executed using smart contracts, and payments are issued in crypto.
-
Gitcoin is built on Ethereum and prioritizes open source development. The process for finding a hacker through Gitcoin occurs on the Ethereum blockchain, where the funder’s bounty is in “escrow” until the worker’s submission is approved. Once approved, funds (in the form of crypto) are automatically released.
-
Bounty0x, like Gitcoin, is a platform built on the Ethereum blockchain. However, rather than focusing on open source development, Bounty0x allows companies to post bounties for marketing, software development, and other creative tasks. Unlike Gitcoin, the platform uses its native token (BTNY) to facilitate network activity. Bounty hunters stake BNTY tokens to reduce platform fees and appeal any of their rejected submissions while bounty sheriffs stake BNTY tokens to validate bounty hunter submissions. The Bounty0x platform is also blockchain agnostic, supporting payments in any token supported by the Stellar, EOSIO, Ethereum, Waves, TRON, or NEO blockchains.
Crypto Bounty Program Pros
Compared to traditional platforms that use intermediaries, crypto bounty programs can generate greater exposure, improve accessibility, and bolster crypto distribution.
-
Exposure: Crypto bug bounty programs can generate substantial interest through channels like Telegram and Twitter. Those operating in the crypto ecosystem understand the importance of building a community around their product — crypto bounty campaigns support this development.
-
Accessibility: Crypto bounty campaigns are more accessible than their traditional counterparts because there is no central authority dictating who can participate. Instead, reputational mechanisms and smart contract functions hold individuals accountable and ensure companies receive high-quality work before payment is issued. The crypto payment process is also easier and more globally accessible, which further eliminates barriers to entry such as a lack of local infrastructure or political instability.
-
Native token distribution: Crypto companies can use bug bounty programs to distribute coins or tokens globally. Conventional programs offered by HackerOne and Bugcrowd don’t offer crypto payouts to hackers.
Crypto Bounty Program Cons
Although crypto bounty programs offer many benefits, there are additional challenges associated with conducting a bug bounty program in the absence of a centralized authority.
-
Token dumping: Although crypto bug bounty programs can be an effective token distribution mechanism, there remains a risk of token dumping, where many bounty hunters exchange their tokens for fiat currency or alternative tokens with more liquidity. This dynamic can put negative pressure on platform token prices.
-
Low-quality work: Although platforms like Gitcoin and Bounty0x have mechanisms in place to protect against low-quality work, alternative programs may not offer the same oversight. As a result, workers may receive payments before a company can assess their work quality.
-
Poor user experience: Without the appropriate infrastructure and team support, or standard Know-Your-Customer (KYC) and vetting protocols, crypto bug bounty programs might offer a sub-par user experience. For instance, bounty specifications can be unclear, with slow response times and payments in the event of a dispute.
The Evolution of Crypto Bounty Campaigns
Conventional or crypto-based, bounty programs have a successful track record of generating immense value for companies that choose to implement them. The specialized skill set of white hat and ethical hackers has become an essential component of modern cybersecurity efforts. As of March 2020, HackerOne bounty hunters earned $40 million USD, while the number of reports submitted by these users increased by 63% year over year.
As of March 2021, the Gitcoin platform had distributed $13.5 million to a community of over 73,000 developers and hackers. At the same time, Bounty0x has issued $5.3 million in crypto bounties across 1.1 million submissions. As technology continues to evolve, the collective efforts of white hat hackers will be crucial to maintaining global cybersecurity. Companies will need to expose potential vulnerabilities ethically — before black hat hackers find them first.