This article was published on August 8, 2018

With $417K, EOS accounts for two-thirds of all cryptocurrency bug bounties in 2018

Blockchain startups are making it rain on security researchers


With $417K, EOS accounts for two-thirds of all cryptocurrency bug bounties in 2018

As interest, adoption, and venture funding in blockchain tech continue to rise, so do attacks from hackers. In an effort to counteract potential threats, a growing list of startups in the cryptocurrency space have opted to launch programs to invite hackers to disclose vulnerabilities responsibly – instead of exploiting them for personal gains. And data suggests the strategy is working.

The total number of blockchain companies with active vulnerability disclosure programs has almost doubled since last year, according to HackerOne stats shared exclusively with Hard Fork. The stats also suggests the overall number of vulnerability submissions for blockchain companies is also on track to double in 2018.

HackerOne refrained from sharing the exact number for this year, but there are more than 3,000 blockchain-related vulnerability submissions on its platform in total.

Additionally, the data shows that compared to last year, the total sum of bounties handed out by blockchain firms has jumped more than 500 percent, from $90,000 in 2017 to almost $600,000 in 2018 – and we still have a few months to go. You can thank Block.one and the nigthmarish launch of the EOS blockchain for that.

As far as blockchain companies go, EOS leads the all-time charts, with more than $417,000 awarded since the launch of its bug bounty program in May. Indeed, $120,000 of the prize money was claimed by one single (white-hat) hacker.

Exchange desk giant Coinbase surfaces as the all-time runner-up, having shelled out over $281,000 in bug bounties. The main difference here is that unlike EOS which got on HackerOne a few months ago, Coinbase has been disclosing flaws on HackerOne since March 2014.

Interestingly, the third and fourth biggest companies based on bug bounty rewards are Blokchain and Augur. However, with $13,950 and $9,700 handed out in disclosure rewards, both are significantly trailing behind EOS and Coinbase.

In fact, the sheer volume of bounties given out by EOS seems to have increased the average bounty prize from $300 last year to $2,100 in 2018. Singling out EOS-issuer Block.one and its hefty rewards, HackerOne chalks up the spike in bounty prizes to the willingness of companies to launch programs with more competitive rewards.

While it is a somewhat disturbing to find such a large amount of kinks in decentralized software, the move towards launching programs to encourage responsible bug disclosures in the cryptocurrency space is a desired trend – even more so because lost funds on the blockchain are usually impossible to recover.

While vulnerabilities are by no means limited strictly to decentralized apps, blockchain tech comes with some unique challenges. Unlike centralized solutions, most distributed ledgers are immutable. Once information is recorded, it is impossible to reverse it (hence why you see so many forced hard forks in emergency situations).

Blockchains’ immutability features can certainly play an important role in eliminating surreptitious tampering in certain cases, but when money is involved – it becomes a liability of its own. Bug bounty programs not only offer hackers an alternative avenue to outright exploiting (and cashing in on) flaws, but they also hold companies more accountable.

For cryptocurrency and more broadly blockchain technologies and companies to grow and prosper, on-going security vetting by independent hackers is a must,” HackerOne CEO Marten Mickos told Hard Fork. “With a large community of hackers looking for security vulnerabilities, there is a real chance of finding and fixing the weaknesses in time.”

Hopefully, this new-found focus on security can help the blockchain space bring down the $761 million worth of cryptocurrency that was lost to hackings and thefts in 2018.

Meanwhile, if you’re looking for a big payday: Augur’s $200,000 bug bounty for critical issues is still up for grabs. But are you up to the task?

Get the TNW newsletter

Get the most important tech news in your inbox each week.