CrowdCurity 'Capture the Coin' Contest Rewards Bug Finders With Bitcoin
The novel bug-finding scheme rewards security researchers for locating private bitcoin keys hidden within a website.
Crowdsourced IT security startup CrowdCurity has created a new bug bounty programme with a unique twist.
Titled Capture the Coin, the programme is inspired by the well-known capture the flag game, and aims to reward security researchers for locating private bitcoin keys hidden within the front-end of web platforms.
is testing the idea on its own website to start with, and is kicking it off as a competition with bitcoin for prizes.
Jacob Hanson, CEO of CrowdCurity, told CoinDesk:
How it works
For the contest, CrowdCurity created three paper wallets that store the bitcoin offline. Each is in different amounts, based on the perceived value of the possible security intrusion that the vulnerability represents.
The private keys to those wallets, however, are hidden within their website's code awaiting discovery – for those with sufficient skills.
There are three different rewards: the 1.5 BTC Nakamoto Reward, the 1BTC Dorian Reward and the 0.5 BTC Scytale reward. furthermore, each has its own clues to aid the researchers, which are detailed on the company's blog.
Each reward is for a very specific vulnerability, making this a rather different bug bounty programme than normal. For example, Google's bug reward scheme has a chart it uses to calculate rewards.
CrowdCurity wants to experiment with a more competitive reward style with Capture the Coin.
Said Hansen:
Monetizing vulnerabilities
In the differing bitcoin amounts, CrowdCurity has set a specific a value for vulnerabilities of differing hardness levels. For example, the first place 1.5 BTC Nakamoto Reward should be one that's a significantly tougher nut to crack, since only CrowdCurity should already know about it.
Hansen believes that creating a marketplace for vulnerabilities by using private keys for bitcoin wallets could change the way that security researchers compete in bug bounty programmes:
And if someone finds the private key, possession of the wallet is instant. There's no waiting for someone to decide on a reward like in regular bug bounty schemes.
Security transparency
The block chain's ability to publicly display all transactions means that, in theory, future security systems using Capture the Coin-style cryptocurrency rewards could offer more transparency.
Hansen says the block chain is, "an intrusion detection system where we can monitor bitcoin addresses and see if private keys are being used".
Most intrusion detection systems in IT security are passive in nature – designed to wait for a certain threshold to be violated, and then a warning notification is issued.
With block chain-based transaction monitoring, a more reactive system might be possible to quickly mitigate an intrusion.
Explained Hansen:
Never 100% secure
CrowdCurity's main business strategy has been crowdsourcing IT security rewards to get results, instead of paying expensive consultants for time, which it views as a disruptive industry approach.
The latter is a model that the company says many bitcoin companies are using, which make up around a half of CrowdCurity's current customer base.
No business is ever completely protected against security threats, and because thefts and security breaches are on the rise, innovative methods to help thwart intruders are necessary.
Capture the Coin is CrowdCurity's test to see how bitcoin can help harden front-end web security as part of its business.
"Hopefully in the future we will be able to provide this as a service to customers," said Hansen.
Cryptocurrency-based security
Using cryptocurrency to incentivize and make security issues more transparent seems like a logical extension of CrowdCurity's crowdsourcing business model.
Private keys for bitcoin wallets embedded in websites could end up being used as 'honey pots' – an IT security tactic designed to entice possible thieves in order to track down them and catch them in the act.
And the tracking method for this honey pot could use the power of the block chain's ledger, something that has not been possible before.
Said Hansen:
STORY CONTINUES BELOW
"You can't do this with PayPal. You can’t do this with regular money. It’s very, very interesting," he added.
Bitcoin code image via Shutterstock