Headline: What is a “bug bounty attetmpt” within cryptocurrency?
Body: I remember in Fifth grade, Mr. Turner’s class, if we found an error in a ditto he passed out (remember them?) then we would be paid 2 little Tootsie Rolls. (I even once found a mistake in our textbook and wrote a letter to the publisher, mentioning the candy reward. I got a thank you letter with 5 Tootsie rolls.) These Tootsie rolls could be considered a “bug bounty.’ But instead of a mistake in front of 30 10-year-olds, some mistakes are much more catastrophic, potentially. Today, there are hack-a-thons where tech companies pay hackers thousands of dollars to spend 2-3 days in a hot conference room, doing their utmost to break the code or website put before them. This is all in an attempt to only put out the most bulletproof code possible. This is why there are bug bounties offered.
So, have there been any shenanigans in the real world related to this?
Yes. In a French Court, 2 brothers admitted to stealing $8.5 Million When tracked down, the 2 brothers explained that they were “ethical hackers” and were going to return all the funds, when a 10% bounty was offered. The brothers were cleared of all criminal charges.
The U.S. government, thru agencies such as the NSA, have to deal with hackers on a regular basis. So, for decades now, there was an arms race of sorts, to see who the best hacker was, a la Wile E. Coyote and the Road Runner, though with more serious ramifications. But, now DoD has realized the value of these hackers to provide advanced warnings of weaknesses that could become exploits by foreign powers. So, Secretary Carter authorized a cash rewards program to hackers who point out bugs before exploited by foreign governments. Over 24 days, 130 vulnerabilities were discovered and fixed in outward facing websites. The Army did a very similar thing and found 100 vulnerabilities and paid out just under $100,000. Hack the Air Force followed with similar success. Pursuant to the successes, there was an open-ended program opened up where rewards didn’t exist, but it was permitted to probe the government websites.
“It’s one thing for a company to come forward and work with their general counsel to do a bug bounty,” Rice says. “It’s a completely different thing entirely for the organization that really initiated the Computer Fraud and Abuse Act and that early hostility toward security researchers to openly start engaging and working with them. The weight that the DoD brings when they pair with the DoJ to say ‘hackers can do good,’ that just doesn’t exist anywhere else.” Google seems to have instituted a similar program, and some programmers have earned up to $30,000 in bounty revenues.
So, yes, they can be effective, can they also be efficient?
Yes, they can also be efficient. It is true that Google has paid over $5,000,000 in bug bounties, but contrast this to the cost of hiring, training and overseeing this many new employees, and the bug bounty program is efficient indeed. Moreover, they can write their own terms for a “successful report” to obtain the award.
The Verdict
This is a tough one, so let’s think it through. On one hand, the value of this type of “red-teaming” exercise has been noted for many years. Regularly, banks will have hack-a-thons. Hundreds of geeks armed with laptops and 2-liter bottles of Mountain Dew descend upon a Las Vegas ballroom with the assignment to defend their own tokens within a network. At the same time, they have to actively look for the tokens of other teams, hidden throughout the whole network. Dozens of potential bugs have been found in this way, and it is highly effective.
But, herein lies the rub; The men and women most likely capable of an exploit this ambitious, are likely the same ones gathered in this ballroom. Even though a game, they are continuously learning bit by bit, what the defense looks like. What blind spots do they have? All kinds of small details that would be vital when planning an attack. This learning would make these programmers even more attractive to the bad actors who might pay them or force them to act. In the end, I can’t imagine that anybody can prove we aren’t stealing from Petrov to pay Sergey.
REFERENCES
https://www.pcmag.com/news/google-expands-bug-bounty-program-to-include-generative-ai-attacks
https://www.wired.com/story/hack-the-pentagon-bug-bounty-results/
https://www.mentalfloss.com/article/589620/google-chrome-bug-bounty-program-increases-rewards
Editor’s Note: Please note that the information contained herein is meant only for general education: This should not be construed as Tax Advice. Personal attributes could make a material difference in the advice given, so, before taking action, please consult your tax advisor or CPA.