Crypto companies oft find out the difficult mode that hackers know their security systems ameliorate than they do. Every bit hacks in the crypto world can and often practice result in hundreds of millions of dollars worth of tokens being stolen, the fate of a company's hereafter tin can often ride on its security measures. In an attempt to crossbar down the hatches, companies offer bug bounties.

These bounties are essentially competitions in which hackers are encouraged to try to compromise software. The hackers then submit a vulnerability report to the respective companies and then that they are able to patch the bugs before they are exploited. As a advantage, successful hackers are paid a bounty.

Most companies offer bounties on a staggered scale, with the advantage toll corresponding to the severity of the bug. Bounties beginning from around $50 to $100 for depression-level fixes and are normally capped at effectually $10,000 for disquisitional bugs. In a few rare cases, hackers have been awarded more.

Katie Moussouris, founder and CEO of Luta Security, who launched both Microsoft and the Pentagon'southward first issues bounties, explained to Cointelegraph how the bug reward schemes can be of use:

"Issues bounties are near useful and efficient as a supplement to proactive security activities focused on preventing and detecting vulnerabilities within organizations first. One time organizations have established good security practices, bug bounties tin can help identify security bugs that organizations missed. Bug bounties on their own aren't enough."

Most companies that develop software have bug bounties. In the crypto world, the need for such programs is as important, regardless of company size. Co-ordinate to a report conducted by HackerOne, companies paid out $878,000 in bug bounties in 2022. Guido Vranken, a Dutch researcher who received a $120,000 payout from EOS subsequently discovering 12 bugs within seven days, told Cointelegraph that the stakes are high for crypto companies:

"For a global digital currency there'south arguably a lot more at stake than many other projects or websites. Theft of assets is the most tangible example, only due the synergy between publicity and exchange rates, net losses might also issue from a widely publicized vulnerability."

One of the nearly contempo bug bounties comes from the global messaging app Telegram. Announced on its Telegram Contests channel on Sept. 24, the company is calling for developers to exploit the TON blockchain and submit a vulnerability report.

If hackers tin exploit a bug in the TON blockchain to the extent that they are able to steal funds from the wallet of another user, Telegram volition pay out up to $200,000, a sum that matches Diviner's disquisitional upshot bounty as one of the largest rewards in crypto history. The contest is taking place against the backdrop of the hotly anticipated launch of Telegram's native digital token, Gram, in late October.

EOS takes the top spot

Although it's tempting to retrieve that smaller, newer companies may be the most active in providing problems bounties, Block.i, the visitor backside EOS, took the superlative spot in 2022 for bounty rewards with $534,500, paying out 60% of all bounties that year, according to a report.

According to the EOS profile on HackerOne, the company volition pay a maximum of $1,000 for a low-risk report and a maximum of $x,000 for a critical report. The profile also notes that the final amount is always decided at the discretion of a reward panel, with higher rewards given to exceptional vulnerabilities.

EOS bounty guidelines

Post-obit the launch of the EOS bounty plan in May 2022, Vranken explained how the company had tightened up its approach to security in the wake of his discoveries:

"Reported bugs were quickly analyzed and stock-still in their public repository. At first the process was very advertising-hoc considering [EOS CTO] Daniel Larimer and I were sending files back and forth on Telegram, but they've since started to run a bug bounty program on HackerOne which I think is in the all-time interest of both issues finders and the EOS team."

EOS has connected to pay out rewards to hackers in 2022, handing out problems bounties for five disquisitional vulnerabilities so far. On Jan. 10, EOS awarded a total of $40,750 to five white hat hackers through HackerOne, with some other researcher receiving a further $10,000 bounty.

Coinbase is the second-biggest spender

Ane of the world's largest cryptocurrency exchanges, Coinbase, is the second-largest spender on bounties, allocating a total of $290,381 in 2022. The company has experienced a number of loftier-profile problems since experiencing a significant increase of users in mid-2017, resulting in delayed or missing funds as well as service blackouts.

The company gave out a further $30,000 in rewards in Feb 2022 for reporting a critical bug, co-ordinate to Coinbase's vulnerability disclosure programme. At the fourth dimension, the bug earned the largest-ever reward on the platform, although the details of the bug were non fabricated public. Coinbase operates a iv-tier bounty plan in which information technology volition pay $200 for a depression-adventure case, $2,000 for a midlevel upshot and up to $l,000 for disquisitional bugs.

According to Coinbase's HackerOne contour, a critical impact exploitation comprises a situation in which attackers "can read or change Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way."

Related: Monero Reports on Resolving Fake XMR Minting Bugs a Month After Ready

The company also laid out its guidelines for assessing low-impact bug: "Attackers can proceeds pocket-size amounts of unauthorized, depression sensitivity information impacting a subset of users, or slightly impact accuracy and performance of system."

With regard to fixing reported bug, the company has a history of being slow on the uptake. After a Dutch company discovered a smart-contract glitch that allowed users to steal "every bit much equally they want" in Ethereum (ETH), Coinbase reportedly took a month to fix it. Coinbase paid out a $x,000 reward to the visitor behind the discovery.

Tron comes in 3rd

The Tron Foundation, which is behind the TRX coin, was the third-largest spender on problems bounties, totalling $78,800 for fifteen reports. As of now, the company has paid a total of $85,400 in bounties, with its highest, at $ten,000, going to HackerOne user nu11pe for an undisclosed report.

The company's compensation program will pay $100 for a low-adventure vulnerability, $3,000 for medium-risk, $6,000 for high-take chances and up to $x,000 for disquisitional issues. Tron's HackerOne profile describes critical faults as "bugs which can take control of java-tron nodes by remote execution of whatever code," too as those that can crusade private key leakage.

In May, the visitor disclosed a critical vulnerability that could accept brought down its blockchain. The announcement on HackerOne states that an attacker could have engulfed all available memory though a distributed denial of service, or DDoS, attack on the TRX network by implementing malicious lawmaking in a smart contract.

The visitor added that one individual could carry out the DDoS attack using a single machine to attack all or 51% of the senior node, thereby rendering the network unusable. Although the bug was reported on January. 14, information technology was just publicly appear after information technology had already been stock-still. The researcher behind the vulnerability was awarded $1,500.

Bug bounties are not a perfect system

While problems bounty programs conspicuously create a healthy environment in which companies reward ethical hacks on their systems, the concept is not without its critics. Nigh recently, prominent crypto figure Dovey Wan criticized Telegram's conclusion to open upward development on its smart contract. Wan appeared to criticize the outcome as an example of the company declining to reinvest in its software development processes, saying:

"Sorry but a project raised over a billion, with over 500mm users tin can't fifty-fifty properly make a reasonable cake explorer? I have to doubt what's the priority level of this TON network within Telegram's team and how they will use their mega treasure on crypto-related stuff."

Luta Security CEO Katie Moussouris told Cointelegraph that although bug bounties are constructive for pointing out important loopholes in existing security structures, they are no replacement for having a dedicated security procedure in place:

"Companies tin can't apply issues bounties as a cheap alternative for due diligence in security. Simply asking strangers to indicate out flaws without having the chapters to fix them is one way overusing bug bounties tin can quickly overwhelm organizations."

Vranken outlined his view to Cointelegraph that, based on his experience as a researcher, a crypto visitor with a bug compensation programme indicates that the visitor can exist trusted:

"I'd sooner trust a cryptocurrency project that has a properly operating compensation program in place than one that doesn't. This opinion is shaped by my experience as a researcher and my awareness of the fact that even widely used software is non necessarily undergirded by serious scrutiny of its code without a proper incentive."

Vranken went on to add together that it is extremely difficult to build software without bugs, no matter the level of talent or amount of money put frontwards:

"If zip else, a issues compensation plan establishes a formal channel for reporting bugs and signals non-hostility towards researchers by vowing to appreciate their work (through financial compensation)."

The current bug bounty system relies on hackers acting responsibly, either out of moral inclination or by the rewards offered. While it may seem viable that hackers could concur out for more money than advertised in the scheme or sell details of the flaw to competitors, Moussouris said that the demand for such information is not as high equally many perceive:

"There are not infinite bug buyers waiting to buy up every bug — that's a common myth. However, in cryptocurrency, in that location are probable more than buyers for bugs than in other areas. That being said, if bug hunters prioritize profits, they may very well choose to exploit rather than sell the bugs they notice in cryptocurrency, for more than direct profit."

Although the rewards advertised past both cryptocurrency and software companies around the earth may give the impression that bug compensation hunting can offer a lucrative career, the reality is that contest is high and admission is not evenly divided. Moussouris explained to Cointelegraph that those who are invited to private problems bounties often take a competitive border:

"It is usually a lot of piece of work that goes uncompensated, peculiarly if the types of bugs the hunter knows how to find are relatively mutual classes of bugs. Only the get-go person to study a particular vulnerability gets paid, and so bug bounty hunters who are the about successful tend to be the ones who are invited to private bug bounties with fewer competitors."

For Vranken, issues bounty hunting is a mixed bag, as the reward does not ever match up to the time put into a project:

"Compared to contractual work which stipulates effort and advantage in advance, issues bounties can be elating (when you come upon a trove of bugs that gets rewarded profoundly) or frustrating (spending a lot of time on something without achieving results, or receiving a lower reward than y'all expected)."