Crowdsourced IT security startup CrowdCurity has created a new bug bounty programme with a unique twist.
is testing the idea on its own website to start with, and is kicking it off as a competition with bitcoin for prizes.
Jacob Hanson, CEO of CrowdCurity, told CoinDesk:
How it works
For the contest, CrowdCurity created three paper wallets that store the bitcoin offline. Each is in different amounts, based on the perceived value of the possible security intrusion that the vulnerability represents.
The private keys to those wallets, however, are hidden within their website's code awaiting discovery – for those with sufficient skills.
There are three different rewards: the 1.5 BTC Nakamoto Reward, the 1BTC Dorian Reward and the 0.5 BTC Scytale reward. furthermore, each has its own clues to aid the researchers, which are detailed on the company's blog.
Each reward is for a very specific vulnerability, making this a rather different bug bounty programme than normal. For example, Google's bug reward scheme has a chart it uses to calculate rewards.
CrowdCurity wants to experiment with a more competitive reward style with Capture the Coin.
In the differing bitcoin amounts, CrowdCurity has set a specific a value for vulnerabilities of differing hardness levels. For example, the first place 1.5 BTC Nakamoto Reward should be one that's a significantly tougher nut to crack, since only CrowdCurity should already know about it.
Hansen believes that creating a marketplace for vulnerabilities by using private keys for bitcoin wallets could change the way that security researchers compete in bug bounty programmes:
And if someone finds the private key, possession of the wallet is instant. There's no waiting for someone to decide on a reward like in regular bug bounty schemes.
The block chain's ability to publicly display all transactions means that, in theory, future security systems using Capture the Coin-style cryptocurrency rewards could offer more transparency.
Hansen says the block chain is, "an intrusion detection system where we can monitor bitcoin addresses and see if private keys are being used".
Most intrusion detection systems in IT security are passive in nature – designed to wait for a certain threshold to be violated, and then a warning notification is issued.
With block chain-based transaction monitoring, a more reactive system might be possible to quickly mitigate an intrusion.
Never 100% secure
CrowdCurity's main business strategy has been crowdsourcing IT security rewards to get results, instead of paying expensive consultants for time, which it views as a disruptive industry approach.
The latter is a model that the company says many bitcoin companies are using, which make up around a half of CrowdCurity's current customer base.
No business is ever completely protected against security threats, and because thefts and security breaches are on the rise, innovative methods to help thwart intruders are necessary.
Capture the Coin is CrowdCurity's test to see how bitcoin can help harden front-end web security as part of its business.
"Hopefully in the future we will be able to provide this as a service to customers," said Hansen.
Using cryptocurrency to incentivize and make security issues more transparent seems like a logical extension of CrowdCurity's crowdsourcing business model.
Private keys for bitcoin wallets embedded in websites could end up being used as 'honey pots' – an IT security tactic designed to entice possible thieves in order to track down them and catch them in the act.
And the tracking method for this honey pot could use the power of the block chain's ledger, something that has not been possible before.
"You can't do this with PayPal. You can’t do this with regular money. It’s very, very interesting," he added.
Bitcoin code image via Shutterstock
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.