Bug Bounty Programs: Where Have We Come From and Where Are We Now?

28 jun 2024

7 minutes

Hello all!
Chris here, a friendly neighborhood white hat from Zokyo Labs — Join me in a discussion about the current landscape of the threats against our industry!

Bug Bounty programs have been continuously on the rise but have they had any impact on our industry and the fight against black hat hacking? The first question we have to answer is why exactly do black hats do what they do and behave maliciously?


Contents


Why do blackhats do what they do?
The Evolution Of Bug Bounty Programs
The Impact Bug Bounty Programs Have Had In The Industry
What About The Impact These Programs Have Had On Black Hat Morality?
How Can Protocols Properly Leverage These Programs To Further Secure Their Security Posture?
Contingency Plans



Why do blackhats do what they do?


Well, that depends who the black hat in question is. In the crypto industry, most of the time the motivations are financially orientated where people hack for monetary gain but other black hats like those who work for nation states or syndicates might be behaving maliciously because it’s their job that they’re employed to do and similarly to us working in industry, if they don’t perform, they lose their jobs.

Then there are those who are somewhere in between who don’t hack for monetary gain or because they have to for their job, they do so simply because they are curious so they press all the buttons until something breaks. And finally, we have the small minority of those who accidentally cause havoc — a classic example where $300 million in value was evaporated in Parity:




The Evolution Of Bug Bounty Programs


In the years between the late 90s and 2005 security wasn’t as widely recognised as it is today, hacking or cracking used to be much easier as the majority of websites mainly used http instead of https which made it easy to bypass security measures in place and there was a lot flying across the internet in clear text. Even back then the epidemic of criminal hacking was in full force which prompted Netscape to launch the very first bug bounty program targeting the Beta version of its’ Netscape Navigator 2.0 browser on the 10th of October, 1995 but the mainstream industry failed to catch onto the idea of creating programs to incentivise hackers to take part legitimately.


Netscape’s Very First Bug Bounty Program: https://web.archive.org/web/19970501041756/www101.netscape.com/newsref/pr/newsrelease48.html


Eventually, other companies started to catch on to the trend such as Mozilla Firefox (2001), Pwn2Own hackathon (est. 2007), Google (2010) and Facebook (2011) and eventually HackOne and Bug Crowd in 2012 which represented the big boom in bug bounties as it was a state where security still wasn’t entirely recognised but there were numerous programs out there for hackers to hack on.

It wasn’t until 17th June, 2016 when the infamous DAO hack occurred where 3.6 Million Ether tokens were stolen due to reentrancy (recursive programming used maliciously) that the crypto industry was in the spotlight for cyber security and was seen as a real attack surface for criminal hackers. This prompted Immunefi to start its journey in 2020 with a focus on blockchain protocols with the rise of attacks on blockchain organizations.

So far, we’ve touched on bug bounty programs that discuss a model where hackers are encouraged to take part in a program to find bugs and report these vulnerabilities in exchange for monetary rewards. The first user to report the bug got paid, the other reports following regardless of severity were all closed as duplicated which saw a very high bar of entry for those who are looking to build a portfolio and break into the industry.

The blockchain industry was the first to introduce competitive security research competitions which employed a system where duplicate findings would receive some recognition incentivising newcomers to try their hand at security research through the likes of Code4rena (2021) and potentially open the door to a new career path. For Instance, Zac Obront who is now an accomplished blockchain security researcher was the Co-founder of Scribe Media, a publishing company in a previous life.

Protocols would get top notch security from a large community of hunters and hunters would accumulate experience in a pay-to-train model. Not only has these programs had an impact on the security posture of numerous companies and protocols, but it has made significant improvement to the industry by closing the skill gap for the security industry as a whole with a surge of newcomers in both web2 and web3 security.



The Impact Bug Bounty Programs Have Had In The Industry


As we can see, Hackathons and Bug Bounty do bring a lot to the industry for companies who are willing to take their security posture seriously, but what exactly? They allow for hackers to try and find vulnerabilities otherwise missed by penetration testers and security auditors in exchange for clean money and fame/recognition. With the volume of disclosed vulnerabilities and hunters trying their luck will come some very sophisticated attack vectors. The Pwn2Own hackathon is a notorious and hardened event targeting companies such as Oracle, Tesla, Microsoft and Apple with techniques that might otherwise be used by nation state hackers and often these companies are incredibly high value targets for the impact data breaches might have on ordinary people and when it comes to Tesla’s self driving capabilities, lives may even be saved by these hackathons and bug bounty programs.


Pwn2Own 2024 Day One Results:

https://www.zerodayinitiative.com/blog/2024/3/20/pwn2own-vancouver-2024-day-one-results


In the context of the crypto industry, Immunefi has saved well over $25 billion in user funds which may include the life savings of some individuals and with the landscape of competitive audits, security researchers are continuously preparing protocols for the ever changing threats they might face when deploying their code into production.



What About The Impact These Programs Have Had On Black Hat Morality?


What do these programs do to affect the operations of black hat hackers? Can their moral compasses even be recalibrated? These are all very good questions and comes back to the psychology of why black hats decide to hack for evil. For those who are employed to do a job or patriotism for their county, it’s unlikely. For example, the Russian Government is considering legal exemptions for hackers attacking western companies. Additionally, APT-38 (aka The Lazerus Group who has had a significant presence in both web2 and web3) are also unlikely to stop hacking for their own nefarious reasons. Unfortunately the world is not perfect and there will always be actors with a skewed moral compass. But that doesn’t mean there are no success stories where these bug bounty programs have left their mark…

Tommy “dawgyg” DeVoss is one of those success stories who was active as a black hat in the early 2000s and eventually ended up being celebrated as a millionaire white hat. The hacker was 19 when he was first arrested after having the front door of his house kicked in by 30 FBI agents. His main motivation was mostly boredom and that he simply loved to break into systems. When HackerOne was established, this gave him an outlet to continue what he loved doing and opened a new path away from black hat hacking.


CitySec MAYhem 2021 — Tommy DeVoss — Hunted: From Wanted Blackhat to Celebrated Whitehat:
https://www.youtube.com/watch?v=Z-PsDsnU2to



How Can Protocols Properly Leverage These Programs To Further Secure Their Security Posture?


At the absolute minimum, if you intend to deploy code onto a mainnet it’s highly recommended that you undergo an audit from a reputable security firm. For those who have a sizeable budget for security, the following order is optimal to ensure your code is (mostly) bug-free because you can never be so sure:


Pre Deployment:
  • Enlist an independent security researcher to conduct a security audit

  • Work with a reputable security firm to provide consulting and undertaking of security audits

  • When the code is ready to be deployed prepare a competitive audit


Post Deployment:
  • Ongoing bug bounty program to incentivise hackers to report bugs for clean money and recognition


Bonus Points:
  • Ongoing monitoring for anomalies in the interactivity with your protocol (eg. Mamoru by Zokyo Labs uses Artificial Intelligence technology to detect threats against your protocol).



Contingency Plans


Even after going through the endless amount of audits and engagements with security personnel, the code base is still never 100% bug free. There have been case studies where protocols which engage security personnel are still breached, so it’s important to have an incident response plan in case something goes down. In the example of Conic Finance who suffered a breach of $3.6 million due to a read-only reentrancy which affected one of their Omnipools in July 2023, handled this by vowing to make the victims whole again by relaunching the protocol in January 2024 and issued a debt token with a total supply equal to the amount lost in the hack. Protocol fees would go into the debt pool over the following six months after launch and victims who were issued debt tokens are able to claim their funds by burning debt tokens.


Conic Finance Governance Reboot Proposal:
https://gov.conic.finance/t/conic-v2-launch-proposal/133



About Zokyo


Zokyo (“augment” in Japanese) keeps pace with your in-house development team and provides blockchain security, design, and development talent to startups and enterprise organizations as needed. As a go-to web3 security, development, and investment partner working with some of the most progressive companies since 2019, we are highly experienced in tackling some of the most challenging problems with an entrepreneurial spirit.

With immediate access to in-demand skills ranging from security auditing, cryptography, white-hat hacking, mathematical specifications of network design, UI/UX design, QA, and full-stack engineering, we help legendary companies accelerate time to market and achieve their goals on time and on budget. Our clients demand and deserve best-in-class security and engineering support. As such, we at Zokyo are committed, passionate and proud to build a more secure Web3 future.

Aviso y Descargo de Responsabilidad de Derechos de Autor

Todos los derechos reservados.

Todo el material que aparece en el sitio web de Zokyo (el “Contenido”) está protegido por derechos de autor según las leyes de derechos de autor de EE. UU. y es propiedad de Zokyo o de la parte acreditada como proveedor del Contenido. No puede copiar, reproducir, distribuir, publicar, mostrar, realizar, modificar, crear trabajos derivados, transmitir o de ninguna manera explotar dicho Contenido, ni puede distribuir ninguna parte de este Contenido a través de ninguna red, incluida una red de área local, venderlo u ofrecerlo para la venta, o usar dicho Contenido para construir cualquier tipo de base de datos. No puede alterar ni quitar ningún aviso de derechos de autor u otro aviso de copias del contenido en el sitio web de Zokyo. Está expresamente prohibido copiar o almacenar cualquier Contenido sin el permiso previo por escrito de Zokyo o el titular de los derechos de autor identificado en el aviso de derechos de autor del contenido individual. Para obtener permiso para usar el Contenido en el sitio web de Zokyo, comuníquese con hello@zokyo.io

Zokyo intenta asegurarse de que el contenido sea preciso y provenga de fuentes confiables, pero no garantiza que sea libre de errores. Zokyo puede agregar, modificar o derogar cualquier política, procedimiento o regulación, y no publicar oportunamente dichos cambios en su sitio web no se interpretará como una renuncia a la aplicación. Zokyo no garantiza que las funciones en su sitio web sean ininterrumpidas, que los defectos se corrijan, o que el sitio web esté libre de virus u otros componentes dañinos. Cualquier enlace a información de terceros en el sitio web de Zokyo se proporciona como cortesía y no constituye un respaldo de esos materiales o del tercero que los proporciona.

Aviso y Descargo de Responsabilidad de Derechos de Autor

Todos los derechos reservados.

Todo el material que aparece en el sitio web de Zokyo (el “Contenido”) está protegido por derechos de autor según las leyes de derechos de autor de EE. UU. y es propiedad de Zokyo o de la parte acreditada como proveedor del Contenido. No puede copiar, reproducir, distribuir, publicar, mostrar, realizar, modificar, crear trabajos derivados, transmitir o de ninguna manera explotar dicho Contenido, ni puede distribuir ninguna parte de este Contenido a través de ninguna red, incluida una red de área local, venderlo u ofrecerlo para la venta, o usar dicho Contenido para construir cualquier tipo de base de datos. No puede alterar ni quitar ningún aviso de derechos de autor u otro aviso de copias del contenido en el sitio web de Zokyo. Está expresamente prohibido copiar o almacenar cualquier Contenido sin el permiso previo por escrito de Zokyo o el titular de los derechos de autor identificado en el aviso de derechos de autor del contenido individual. Para obtener permiso para usar el Contenido en el sitio web de Zokyo, comuníquese con hello@zokyo.io

Zokyo intenta asegurarse de que el contenido sea preciso y provenga de fuentes confiables, pero no garantiza que sea libre de errores. Zokyo puede agregar, modificar o derogar cualquier política, procedimiento o regulación, y no publicar oportunamente dichos cambios en su sitio web no se interpretará como una renuncia a la aplicación. Zokyo no garantiza que las funciones en su sitio web sean ininterrumpidas, que los defectos se corrijan, o que el sitio web esté libre de virus u otros componentes dañinos. Cualquier enlace a información de terceros en el sitio web de Zokyo se proporciona como cortesía y no constituye un respaldo de esos materiales o del tercero que los proporciona.

Aviso y Descargo de Responsabilidad de Derechos de Autor

Todos los derechos reservados.

Todo el material que aparece en el sitio web de Zokyo (el “Contenido”) está protegido por derechos de autor según las leyes de derechos de autor de EE. UU. y es propiedad de Zokyo o de la parte acreditada como proveedor del Contenido. No puede copiar, reproducir, distribuir, publicar, mostrar, realizar, modificar, crear trabajos derivados, transmitir o de ninguna manera explotar dicho Contenido, ni puede distribuir ninguna parte de este Contenido a través de ninguna red, incluida una red de área local, venderlo u ofrecerlo para la venta, o usar dicho Contenido para construir cualquier tipo de base de datos. No puede alterar ni quitar ningún aviso de derechos de autor u otro aviso de copias del contenido en el sitio web de Zokyo. Está expresamente prohibido copiar o almacenar cualquier Contenido sin el permiso previo por escrito de Zokyo o el titular de los derechos de autor identificado en el aviso de derechos de autor del contenido individual. Para obtener permiso para usar el Contenido en el sitio web de Zokyo, comuníquese con hello@zokyo.io

Zokyo intenta asegurarse de que el contenido sea preciso y provenga de fuentes confiables, pero no garantiza que sea libre de errores. Zokyo puede agregar, modificar o derogar cualquier política, procedimiento o regulación, y no publicar oportunamente dichos cambios en su sitio web no se interpretará como una renuncia a la aplicación. Zokyo no garantiza que las funciones en su sitio web sean ininterrumpidas, que los defectos se corrijan, o que el sitio web esté libre de virus u otros componentes dañinos. Cualquier enlace a información de terceros en el sitio web de Zokyo se proporciona como cortesía y no constituye un respaldo de esos materiales o del tercero que los proporciona.