Difference between revisions of "Bug bounty"
(more deets) |
|||
Line 1: | Line 1: | ||
A bug bounty is a countermeasure developers can implement to drive white hat hackers to disclose exploits discreetly without actually triggering them. Generally speaking, bug bounties strictly apply to specified smart contract repositories. | A bug bounty is a countermeasure developers can implement to drive white hat hackers to disclose exploits discreetly without actually triggering them. Generally speaking, bug bounties strictly apply to specified smart contract repositories. | ||
== Size == | == Size == | ||
A significant number of chains and protocols use bug bounties. These can range from a few thousand dollars to up to ten million dollars (at time of writing). Different bug bounties are listed on websites such as immunefi.com. | A significant number of chains and protocols use bug bounties. These can range from a few thousand dollars to up to ten million dollars (at time of writing). Different bug bounties are listed on websites such [https://immunefi.com/ as immunefi.com.] By their count alone, some $135,000,000 are available for hackers to claim. | ||
== Effectiveness == | == Effectiveness == | ||
There are many cases of bug bounties successfully preventing | There are many cases of bug bounties successfully preventing exploits: | ||
[https://blog.openzeppelin.com/15-billion-rugpull-vulnerability-in-convex-finance-protocol-uncovered-and-resolved/ OpenZeppelin] disclosed a $15 billion vulnerability. | |||
== Issues == | == Issues == |
Revision as of 00:34, 20 April 2022
A bug bounty is a countermeasure developers can implement to drive white hat hackers to disclose exploits discreetly without actually triggering them. Generally speaking, bug bounties strictly apply to specified smart contract repositories.
Size
A significant number of chains and protocols use bug bounties. These can range from a few thousand dollars to up to ten million dollars (at time of writing). Different bug bounties are listed on websites such as immunefi.com. By their count alone, some $135,000,000 are available for hackers to claim.
Effectiveness
There are many cases of bug bounties successfully preventing exploits:
OpenZeppelin disclosed a $15 billion vulnerability.
Issues
Sometimes anonymous developers do not have a way to verify their anonymous counter party will not simply exploit the code when disclosing it. This is the case with OpenZeppelin's recent attempt to disclose a 10 figure vulnerability in Convex.
Providers
Immunefi lists and organises all bug bounties in a web2, centralised company way. Hats.finance provides a similar offering though it does this in a decentralised way.
(this is WIP, I'm researching)