CrowdCurity 'Capture the Coin' Contest Rewards Bug Finders With Bitcoin

The novel bug-finding scheme rewards security researchers for locating private bitcoin keys hidden within a website.

AccessTimeIconApr 3, 2014 at 12:18 p.m. UTC
Updated Sep 3, 2021 at 11:24 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Crowdsourced IT security startup CrowdCurity has created a new bug bounty programme with a unique twist.

Titled Capture the Coin, the programme is inspired by the well-known capture the flag game, and aims to reward security researchers for locating private bitcoin keys hidden within the front-end of web platforms.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • is testing the idea on its own website to start with, and is kicking it off as a competition with bitcoin for prizes.

    Jacob Hanson, CEO of CrowdCurity, told CoinDesk:

    "We find it an interesting approach to basically test the security of our own platform."

    How it works

    For the contest, CrowdCurity created three paper wallets that store the bitcoin offline. Each is in different amounts, based on the perceived value of the possible security intrusion that the vulnerability represents.

    The private keys to those wallets, however, are hidden within their website's code awaiting discovery – for those with sufficient skills.

    There are three different rewards: the 1.5 BTC Nakamoto Reward, the 1BTC Dorian Reward and the 0.5 BTC Scytale reward. furthermore, each has its own clues to aid the researchers, which are detailed on the company's blog.

    Each reward is for a very specific vulnerability, making this a rather different bug bounty programme than normal. For example, Google's bug reward scheme has a chart it uses to calculate rewards.

    CrowdCurity wants to experiment with a more competitive reward style with Capture the Coin.

    Said Hansen:

    "[With bitcoin] you can put a monetary value on vulnerabilities. Most companies give away prizes based on levels, but Capture the Coin offers better granularity and adjustments for rewards programs."

    Monetizing vulnerabilities

    In the differing bitcoin amounts, CrowdCurity has set a specific a value for vulnerabilities of differing hardness levels. For example, the first place 1.5 BTC Nakamoto Reward should be one that's a significantly tougher nut to crack, since only CrowdCurity should already know about it.

    Hansen believes that creating a marketplace for vulnerabilities by using private keys for bitcoin wallets could change the way that security researchers compete in bug bounty programmes:

    "We have different amounts in each of these different private keys. The different amounts correspond to the criticality of the bugs that the company actually sees in the system."

    And if someone finds the private key, possession of the wallet is instant. There's no waiting for someone to decide on a reward like in regular bug bounty schemes.

    Security transparency

    The block chain's ability to publicly display all transactions means that, in theory, future security systems using Capture the Coin-style cryptocurrency rewards could offer more transparency.

    Hansen says the block chain is, "an intrusion detection system where we can monitor bitcoin addresses and see if private keys are being used".

    Most intrusion detection systems in IT security are passive in nature – designed to wait for a certain threshold to be violated, and then a warning notification is issued.

    With block chain-based transaction monitoring, a more reactive system might be possible to quickly mitigate an intrusion.

    Explained Hansen:

    "Being able to monitor movements on [a bitcoin] account is actually a very reactive system. You can build a certain chain of reactions once you see a certain movement take place [on the block chain]."

    Never 100% secure

    CrowdCurity's main business strategy has been crowdsourcing IT security rewards to get results, instead of paying expensive consultants for time, which it views as a disruptive industry approach.

    The latter is a model that the company says many bitcoin companies are using, which make up around a half of CrowdCurity's current customer base.

    No business is ever completely protected against security threats, and because thefts and security breaches are on the rise, innovative methods to help thwart intruders are necessary.

    itsecurity

    Capture the Coin is CrowdCurity's test to see how bitcoin can help harden front-end web security as part of its business.

    "Hopefully in the future we will be able to provide this as a service to customers," said Hansen.

    Cryptocurrency-based security

    Using cryptocurrency to incentivize and make security issues more transparent seems like a logical extension of CrowdCurity's crowdsourcing business model.

    Private keys for bitcoin wallets embedded in websites could end up being used as 'honey pots' – an IT security tactic designed to entice possible thieves in order to track down them and catch them in the act.

    And the tracking method for this honey pot could use the power of the block chain's ledger, something that has not been possible before.

    Said Hansen:

    "Now we have programmable money. And you can do this kind of stuff in security that could not be done earlier."

    "You can't do this with PayPal. You can’t do this with regular money. It’s very, very interesting," he added.

    Bitcoin code image via Shutterstock

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.