Bug bounty

From CryptoWiki

Revision as of 08:48, 23 January 2022 by 5imp5on (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Basics

  • A reward given by a projects team or developers to anyone who finds bugs in their systems. Projects who do not have a bug bounty program are likely to have more risk.
  • From Consensys Diligence (2-3-2020):

"For talented hackers, there are strong financial incentives to attack DeFi protocols. Having a bounty program in place creates a financial incentive to report vulnerabilities rather than exploit them. Reporting a vulnerability through a bounty program is also good for a hacker’s reputation, and the added benefit of not being illegal.

Any company running a DeFi protocol, with people’s money on the line, should have a bounty program. Here are some good questions you can ask about their program and disclosure process:

  1. Is the source code of your contracts publicly available?
  2. Is it easy to find the security contact information on your website and git repos?
  3. Do you have a bounty program on your contracts?
  4. Which contracts are in scope?
  5. What is the range of bounty payments?
  6. Have you ever made a bounty payment?
  7. Have you ever denied payment on a bug report?
  8. Is it easy to find details of the bounty program on your website and git repos?

Ideally this information would all be found at “website.com/security” and make use of GitHub’s SECURITY.md feature."