Crowdsourced IT security startup CrowdCurity has created a new bug bounty programme with a unique twist.
Titled Capture the Coin, the programme is inspired by the well-known capture the flag game, and aims to reward security researchers for locating private bitcoin keys hidden within the front-end of web platforms.
CrowdCurity is testing the idea on its own website to start with, and is kicking it off as a competition with bitcoin for prizes.
Jacob Hanson, CEO of CrowdCurity, told CoinDesk:
“We find it an interesting approach to basically test the security of our own platform.”
How it works
For the contest, CrowdCurity created three paper wallets that store the bitcoin offline. Each is in different amounts, based on the perceived value of the possible security intrusion that the vulnerability represents.
The private keys to those wallets, however, are hidden within their website’s code awaiting discovery – for those with sufficient skills.
There are three different rewards: the 1.5 BTC Nakamoto Reward, the 1BTC Dorian Reward and the 0.5 BTC Scytale reward. furthermore, each has its own clues to aid the researchers, which are detailed on the company’s blog.
Each reward is for a very specific vulnerability, making this a rather different bug bounty programme than normal. For example, Google’s bug reward scheme has a chart it uses to calculate rewards.
CrowdCurity wants to experiment with a more competitive reward style with Capture the Coin.
“[With bitcoin] you can put a monetary value on vulnerabilities. Most companies give away prizes based on levels, but Capture the Coin offers better granularity and adjustments for rewards programs.”
In the differing bitcoin amounts, CrowdCurity has set a specific a value for vulnerabilities of differing hardness levels. For example, the first place 1.5 BTC Nakamoto Reward should be one that’s a significantly tougher nut to crack, since only CrowdCurity should already know about it.
Hansen believes that creating a marketplace for vulnerabilities by using private keys for bitcoin wallets could change the way that security researchers compete in bug bounty programmes:
“We have different amounts in each of these different private keys. The different amounts correspond to the criticality of the bugs that the company actually sees in the system.”
And if someone finds the private key, possession of the wallet is instant. There’s no waiting for someone to decide on a reward like in regular bug bounty schemes.
The block chain’s ability to publicly display all transactions means that, in theory, future security systems using Capture the Coin-style cryptocurrency rewards could offer more transparency.
Hansen says the block chain is, “an intrusion detection system where we can monitor bitcoin addresses and see if private keys are being used”.
Most intrusion detection systems in IT security are passive in nature – designed to wait for a certain threshold to be violated, and then a warning notification is issued.
With block chain-based transaction monitoring, a more reactive system might be possible to quickly mitigate an intrusion.
“Being able to monitor movements on [a bitcoin] account is actually a very reactive system. You can build a certain chain of reactions once you see a certain movement take place [on the block chain].”
Never 100% secure
CrowdCurity’s main business strategy has been crowdsourcing IT security rewards to get results, instead of paying expensive consultants for time, which it views as a disruptive industry approach.
The latter is a model that the company says many bitcoin companies are using, which make up around a half of CrowdCurity’s current customer base.
No business is ever completely protected against security threats, and because thefts and security breaches are on the rise, innovative methods to help thwart intruders are necessary.
Capture the Coin is CrowdCurity’s test to see how bitcoin can help harden front-end web security as part of its business.
“Hopefully in the future we will be able to provide this as a service to customers,” said Hansen.
Using cryptocurrency to incentivize and make security issues more transparent seems like a logical extension of CrowdCurity’s crowdsourcing business model.
Private keys for bitcoin wallets embedded in websites could end up being used as ‘honey pots’ – an IT security tactic designed to entice possible thieves in order to track down them and catch them in the act.
And the tracking method for this honey pot could use the power of the block chain’s ledger, something that has not been possible before.
“Now we have programmable money. And you can do this kind of stuff in security that could not be done earlier.”
“You can’t do this with PayPal. You can’t do this with regular money. It’s very, very interesting,” he added.
Bitcoin code image via Shutterstock