Bug Bounties: Why They’re Essential for Web3 Projects
Remember when big, in-house developer teams at major software corporations would test their software all year and then finally issue one big update? If so, you’ve outed yourself as a boomer, because those days are long over. Today, new code tends to be released quickly by big companies, startups, and decentralized organizations alike. Updates may be released many times in a single year–or even a single week.
With rapid releases and constant iteration the norm, developers now rely on the user community to help identify bugs. A growing community of white hat hackers try to stay one step ahead of black hat hackers.
Crowdsourced troubleshooting is important to help prevent theft, particularly in crypto. With nearly $4 billion in crypto stolen in 2022 alone, finding and closing security holes is a critical step.
To encourage independent coders to find programming flaws, many organizations offer bug bounties. This article explores how bug bounties work and why they’re important to the future of crypto. We’ve also got examples of some of the biggest recent bug bounty payouts. Finally, we’ll describe both the advantages and challenges of bug bounty programs.
Whether you’re a hacker looking to earn from bug bounties or a web3 developer designing a bug bounty program, we’ve got useful facts for you below.
What is a bug bounty?
A bug bounty is an offer of financial reward made to any ethical hackers who can discover flaws in a piece of software, particularly flaws that compromise the software’s security.
In other words: Find a flaw, get paid.
Amounts offered in bug bounties vary widely. Often, they’re calculated based on a percentage of the assets that were at risk if the vulnerability had been exploited by an attacker before being discovered and corrected.
The reward in a bug bounty may also include some form of public recognition for being the first to find a security problem. This can be helpful to hackers looking to build a reputation for their skills.
A brief history of bug bounties
Bug bounties are not new. The phenomenon of bug bounties dates to 1995, when now-defunct internet browser Netscape offered a bounty to anyone who could find problems with the beta version of their 2.0 browser release. By 2002, middleman platforms such as iDefense’s Vulnerability Contributor Program had been created to make it easier for hackers to be rewarded for reporting bugs to companies without a formal bug bounty program. Facebook launched its whitehat program in 2011 and continues to pay a minimum $500 for bug information, with no upper limit.
How white-hat hackers collect bug bounties
The process of claiming a bug bounty has a few simple steps:
- Assess. The hacker reviews and tests software code, looking for problems.
- Document. If they discover a flaw, the hacker documents their findings.
- Report. The hacker reports their discovery to the organization offering the bounty, sharing their documentation.
- Reward. The organization verifies whether a legitimate bug has been found. If so, the bug bounty is then paid out.
That’s the basic process. However, there are several different ways bug bounties may be structured.
6 Flavors of bug bounties
It’s up to the organization offering the bounty to decide how their offer will work. There are several popular approaches, and in some cases some of these features may be combined.
- Continuous: While many bug bounty offers may have a deadline after which they expire, some organizations offer a bounty in perpetuity.
- Platform-specific: The bounty offer can be limited to flaws found within an organization’s own websites or apps, rather than including any flaws in interoperability between their solutions and other platforms or apps.
- Private: To limit the amount of admin work and keep things quieter, an organization can limit the number of people they invite to review the software and potentially claim a bug bounty. For instance, the bounty offer might be limited to a select group of white-hat hackers who’ve seen previous success.
- Public: The bug bounty offer may be publicly announced and open to anyone.
- Targeted: Rather than offering a bounty on all its solutions, a company can target key apps or websites that have higher security concerns.
- Tournament: Gamification is a proven way to get hackers excited about finding security holes. Pitting people against each other in a race against time helps attract hackers who know how to work fast and thrive on competition. A short-duration event with limited scope can also focus hackers’ attention on an organization’s specific area of concern.
As you can see, there’s a lot of flexibility in how a bug bounty is set up. Hackers looking to claim a bounty should note what sort of bounty program is on offer to assess their fit and whether it’s worth their time. An open bounty offer that thousands of hackers may be working on might not be as appealing as a private bounty program where just a few hackers have a shot at the prize.
Web3 scenarios with security challenges
There are several situations where web3 security checks are vital and bug bounties are often offered:
- Smart contracts. The code for smart contracts is stored on a blockchain and executed when its conditions are met. Smart contract audits are supposed to spot any security problems, but audits often don’t include 100% of the code and flaws may remain.
- Networks of nodes. Blockchains are administered through distributed nodes. The software that connects these nodes can create another potential security weakness.
- Cryptography. Faulty encryption in a web3 project can allow thieves to access users’ private information or steal their assets.
- Dapps. Just as any traditional app can have security flaws, blockchain-based apps created by a decentralized community can also have code errors.
Ultimately, all the software that interacts with the blockchain needs to be secure so that users’ assets remain safe. Especially with the collaborative nature and decentralized structure of web3 projects, having outside eyes review code is a critical step in ensuring your project offers no inadvertent opportunities to attackers.
Comparing 4 popular bug bounty platforms
Today, there are many bug bounty platforms that aggregate offers that ethical hackers can work on in hopes of earning a bounty. Among the most popular are:
- Bugcrowd has been managing bug bounty programs for third parties since 2011. The platform’s average payout exceeds $3,250.
- HackerOne was founded in 2012 and has overseen $150 million in bounty payouts. It recently listed over 1,000 active bug bounty programs.
- HackenProof focuses exclusively on web3 projects since its 2017 founding. It’s paid out $7.4 million in bounties to date.
- ImmuneFi focuses on web3 and smart contract security. The 2020 startup recently listed over 300 active bounty programs.
You can see from the hundreds of bounties offered that bug bounties have become common practice. In addition to platforms such as those listed above, most major corporations in tech such as Facebook, Yahoo, Intel, Microsoft, PayPal and the like host their own bug bounty programs.
At this point, information about public bug bounty offers is easy to find.
Benefits of being a white-hat hacker
Finding software vulnerabilities in exchange for bounty payments is a great way to gain experience as a coder, build a reputation for yourself as a smart hacker, become known in the web3 community, and earn legitimate money you can spend without guilt. White-hat hacking also provides an opportunity to contribute to the web3 ecosystem and get a first look at emerging technologies. That helps keep your skills on the cutting edge.
As the stakes get higher in both web3 and traditional software, a growing cadre of white-hat hackers are claiming millions in bug bounties.
5 Multi-million dollar recent bug bounties
Thieves can make off with hundreds of millions in major attacks such as the $552 million stolen from Ronin Network in 2021. As a result, white-hat rewards for finding bugs are also increasing, giving ethical hackers a growing pathway to earning a substantial, legitimate living from their skills.
Here’s a look at some of the biggest bounties that have been offered since 2022, ranked from largest on down:
- LayerZero Labs and ImmuneFi partnered in Spring ‘23 to launch a $15 million bug bounty for the LayerZero protocol.
- Google paid $12 million in bounty in 2022 after bug hunters found a record annual number of vulnerabilities. The money was spread among many hackers, with the top individual payout of $133,000 going to Yuval Avrahami of Palo Alto Networks Unit 42. Google also paid an aggregate of nearly $5 million to hackers in 2022 for detecting thousands of Android OS bugs.
- MakerDAO offered a maximum $10 million bug bounty through ImmuneFi in Feb. 2022, for hackers who could identify any flaws in its apps and smart contracts that might enable theft. It was a record sum for ImmuneFi at the time.
- Wormhole paid a $10 million bounty to a hacker known as Satya0x in May ‘22, for discovering a security flaw in their crypto platform.
- Aurora paid a $6 million bounty in June ‘22, after ethical hacker pwning.eth discovered a vulnerability in its bridge solution that put over $200 million in users’ cryptoassets at risk.
Most often, these 7- and 8-figure payouts don’t go to a single hacker. But the size of the bounties shows that there’s real money on offer for talented bug hunters who can find flaws quickly.
Bug bounty vs. coordinated vulnerability disclosure
A coordinated vulnerability disclosure is similar to a bug bounty–except there’s no bounty. An organization simply encourages the developer community to report any problems they encounter and provides a method for doing so, such as a website or email address where bugs can be reported.
Potential problems in bug bounty programs
While bounties can help close security holes, running a bug bounty program isn’t a guarantee that your software will end up flaw-free. The bounty offer has to be carefully defined, including the scope and reward structure. A knowledgeable coder will need to test and evaluate the submissions to see if a hacker is entitled to the bounty.
Then there’s the time and effort required to market the bounty, reaching out to the hacker community to invite ethical hackers’ participation. Finally, there’s the cost of the payout.
Inadequate documentation or communication with the hacker community can create a poor outcome. There also may be legal and compliance considerations to setting up a bounty, depending on your organization’s structure.
Then there’s the issue of who you’re dealing with. There are a lot of sketchy personalities in the anonymous hacker community and all participants may not be playing it straight. An attacker could be alerted that your software is in a testing phase and find a security opening before an ethical hacker can locate it and collect the bounty.
Emerging trends in Web3 bug bounties
As web3 continues to evolve, expect to see more innovation in how bug bounties are set up. For example, rewards could grow to include tokens in addition to cash, driving adoption of a new token while helping to secure it.
As web3 projects enable more interaction between platforms, collaborative bug bounties funded by more than one organization may be needed to examine the security weaknesses. Smart-contract execution in web3 could also make it easier to run bug bounties, saving time by automatically reviewing entries and issuing rewards.
Bug bounty offers and the testing they inspire have a crucial role to play in educating web3 users and helping them develop their skills.
Bug bounties – important but not a magic bullet
While bug bounties are an important part of web3 projects’ code review, they’re not a substitute for a complete suite of security checks. They’re just one part of the process of making sure software is secure. As web3 continues to develop, bug bounties will be key to building user confidence in the ecosystem’s security.