Sign up to save your podcasts
Or
Share The all-new black-hat bug-bounty system
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The all-new black-hat bug-bounty system
Bryan Sanya Mondoh pointed me at yet another nine-figure loss in the cryptocurrency and DeFi space - trading platform BXH lost $130 million.
And an accompanying offer from the exploited exchange to the hackers offering a bonus and wiping the slate clean if they returned the funds. There's a $1 million bounty on offer.
This is seriously broken. The message that is being sent out goes against all that has been achieved in providing bug bounties and recognized systems for people who find weaknesses in software to be rewarded for their discovery.
It also highlights how pathetic bug bounties have been. Uniswap offers half a million tops, Aave a quarter, and Compound's maximum reward is 150k. Most bug bounties are a few thousand at best.
And you have to prove that the bug you've found is severe and certain to be exploited, disclose it discretely within a short period of time, with lots of supporting documentation, and the team in question has to actually agree with you.
Which I imagine is similar to getting an insurance company to pay out a significant claim.
More on that in this episode.
View all episodes
By Keir Finlow-BatesBryan Sanya Mondoh pointed me at yet another nine-figure loss in the cryptocurrency and DeFi space - trading platform BXH lost $130 million.
And an accompanying offer from the exploited exchange to the hackers offering a bonus and wiping the slate clean if they returned the funds. There's a $1 million bounty on offer.
This is seriously broken. The message that is being sent out goes against all that has been achieved in providing bug bounties and recognized systems for people who find weaknesses in software to be rewarded for their discovery.
It also highlights how pathetic bug bounties have been. Uniswap offers half a million tops, Aave a quarter, and Compound's maximum reward is 150k. Most bug bounties are a few thousand at best.
And you have to prove that the bug you've found is severe and certain to be exploited, disclose it discretely within a short period of time, with lots of supporting documentation, and the team in question has to actually agree with you.
Which I imagine is similar to getting an insurance company to pay out a significant claim.
More on that in this episode.