Crowdcurity brings crowdsourced hacker testing to bitcoin

Crowdcurity wants to reward those who find security holes in bitcoin sites.

AccessTimeIconOct 16, 2013 at 10:30 a.m. UTC
Updated May 9, 2023 at 3:02 a.m. UTC

Bitcoin websites are prime targets for cyber-attacks. Now, a company called Crowdcurity wants to apply the wisdom of crowds to make them more secure. How will it work?

Protecting against attacks isn’t optional if you want to keep your web-based bitcoin app in business. Bitcoin apps can often hold hundreds in individual coins, leaving their users incurring significant financial losses if they are compromised. This is particularly true in the case of exchanges.

  • Aptos Is Not a Security: Anchorage General Counsel
    Aptos Is Not a Security: Anchorage General Counsel
  • Telegram Users Can Now Send Crypto to Each Other via Wallet Bot: Report
    Telegram Users Can Now Send Crypto to Each Other via Wallet Bot: Report
  • Bitstamp CEO on Regulatory Implications of Ethereum’s Proof-of-Stake Transition
    Bitstamp CEO on Regulatory Implications of Ethereum’s Proof-of-Stake Transition
  • Grayscale, Disclosing SEC Queries, Says Cryptos XLM, ZEC, ZEN May Be Securities
    Grayscale, Disclosing SEC Queries, Says Cryptos XLM, ZEC, ZEN May Be Securities
  • For example, margin-trading site Bitcoinica was sued for $460,000 in 2012 after being hacked twice. US-based exchange BitFloor suffered major embarrassment after 24,000 bitcoins were stolen following a hack in September 2012 – a figure that represented almost ten years of transaction fees. That’s a difficult loss to bounce back from. This isn't the first instance, the problems go back further still: Vicurex saw its wallet compromised in 2011. And these are just examples from a far larger set.

    Breaking into a web app

    Not all of these bitcoin thefts are explicitly the result of website problems. Some stem from human error, and some are, as yet, unexplained. But one thing is for sure: badly-designed code doesn’t help, and is responsible for at least some of these issues.

    How many ways can a person break into a web application? There are tens of them, but the Open Web Application Security Project (OWASP) breaks them down into ten broad categories. It updates the list each year, and 2013’s makes gruesome reading.

    At the top of the list? Injection. This happens when someone injects code that shouldn’t be there into a web application, usually through a parameter passed to a URL. It can be used to execute unintended commands, including putting dangerous malware on a web page to infect visiting machines, or dumping customer details, for example.

    Other potential attacks include exploiting poor security configuration (including configuration of hosting servers), and broken authentication, in which sessions are not properly managed, enabling attackers to hijack accounts. Another old chestnut is the cross-site scripting attack, in which bad data is sent to a browser using JavaScript, causing it to misbehave. The fact that these attacks are still possible years after they were first discovered is a discredit to the software development community.

    The problem for a lot of software developers in the bitcoin space and elsewhere is that it is difficult to spot all of the bugs. Several bitcoin sites employ ‘bug bounties’ to solve the problem, offering eagle-eyed members of the community rewards to spot and fix problems.

    , with a minimum payout of 5 BTC, and no maximum payout. At the time of writing, it had awarded bitcoins to 27 people, amounting to at least 135 BTC. Payward, which runs the Kraken margin trading site, is stingier about its bounty program, offering a minimum of a single bitcoin per bug. Another bitcoin trading site, 1Broker, also ran a program.

    Enter Crowdcurity

    Crowdcurity hopes to standardize the bug bounty concept by outsourcing the process. The online service connects companies that have software to debug with a community of around 250 software testers, which it has found via security forums.

     How Crowdcurity works
    How Crowdcurity works

    The firm isn’t solely bitcoin focused, as its process can be applied to any web-based application. Nevertheless, it’s an important market for the firm. “Bitcoin companies are already very focused on security and they know that they need to focus on it,” says Jacob Hansen, founder of Crowdcurity, who is already negotiating with at least one large bitcoin-based business. “Traditional e-businesses don’t always have the same awareness.”


    Customers can create a reward program with the site, setting rules and amounts for bug programs. The challenge is then sent to the testing community, which works on reporting vulnerabilities. The customer validates the bugs in conjunction with Crowdcurity, and payouts are awarded based on bug severity.

    More than half of the payouts have been made in bitcoins for the single customer that the firm had dealt with as of last week. “Many of these payments may be $25-$50 if the bugs are low criticality, and with bitcoins you have lower fees, and it makes payments faster,” Hansen says.

    The site’s testers can target a test site, or an operational site that is already processing live data, Hansen explains. But sites shouldn’t just rely on external testers, he argues.

    Crowdcurity is effectively a penetration testing service, in which a crowd of testers tries to hack a website. But what they don’t do is look at a site’s code. In one sense, this is a good thing, because closed source sites won’t want people ogling their intellectual property. In another sense, it leaves the analysis of the code up to the company, which then has to find the skills to do it.

    “They should do security reviews of their code internally. Then, there are a lot of automatic tools out there which can look at your code and discover common vulnerabilities.” Crowdcurity uses tools like Brakeman for its own site, which scans for vulnerability in Ruby on Rails apps. There are more for other languages – but companies have to have the skills and discipline to use them.

    As bitcoin grows up and companies get better funding, software developers will hopefully be in a better position to cover all of their security bases. And maybe we’ll see fewer disaster stories like Bitcoinica or Bitfloor.


    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.