Ethical security researchers are vital for keeping the Internet safe, so companies often incentivize them with rewards if they report security issues responsibly, instead of exploiting them for malicious purposes. However, bug bounty programs are difficult to run, so many companies outsource to third parties such as HackerOne. This increases the number of people who are exposed to unpatched bugs and hacking tools, and can increase the chances that they will be stolen and used for nefarious purposes. Furthermore, security researchers have received legal threats for "hacking" a company even when following the company's bug bounty rules, resulting in a loss of trust in bug bounty programs.
Therefore, there's a need for a bug bounty system that:
- Is easy to run for companies
- Is trustworthy for researchers
- And is secure (and optionally anonymous) for both parties
What it does
We decided to apply the Ethereum blockchain's smart contracts to this problem: it automates financial transactions, which saves time for companies, and can encode a bug bounty's rules in unambigious code that everyone can inspect, which allows reseachers to be certain that they would be rewarded instead of punished for their heroic work.
Our current smart contract allows a company to specify an URL of a website and a given output that would only appear if the site is vulnerable. (For example, an error message that should never be shown in normal operation, or a successful login message for a nonexistent user). Then, researchers can submit data to the contract, which will observe the site's response to this data. If the output matches the vulnerable output, then the researcher has demonstrated that the software is vulnerable, and the contract will automatically award the researcher with the bounty in Ethereum.
How we built it
We used the Solidity language to develop the contract. We used the Oraclize API to provide a cryptographically secure and distributed method to submit and receive data from the software being tested. We used the Truffle framework to compile and deploy our contract, the TestRPC simulator to create a local Ethereum blockchain for testing, and finally we used Web3.js to create a web-based user interface for researchers to submit their data for the bounty program. Throughout the project, we followed rules for secure development by examining best practices for smart contracts.
In addition, we decided to test the feasibility of automated bug bounties by intentionally building a simple vulnerable application using Python, Flask, and SQLite to demonstrate that a bounty for a SQL injection vulnerability can be awarded automatically. Even here, we considered security by isolating this program on a Heroku account with no access to other resources.
Challenges we ran into
- Compute, storage, and connectivity on the Ethereum blockchain is limited, so we must use third party services, and thus we had to learn the Oraclize API in addition to working with contracts
- Setting up a private Ethereum blockchain for local testing proved to be difficult, with jargon-filled guides that aren't targeted at blockchain newbies
- Smart Contracts are still not very mature: we had to carefully avoid edge cases in Solidity that would introduce vulnerabilities
Accomplishments that we're proud of
- Our first Blockchain-based hack
- Solving a real-world problem by applying new technology in a novel way
- Learned about the possibilities - and the limitations - of digital contracts
What we learned
- Applications of Blockchain, Solidity, and Ethereum to information security
- The odd model of computing/storage/events on the Ethereum blockchain
What's next for HackAllTheTech
- Extend the types of applications this model can work from simple web application bugs to other platforms
- Add additional features required by enterprises, such as JIRA integration, in a way that preserves the transparency for researchers and can integrated with the distributed nature of Ethereum
- Add features for researchers, such as automated timed disclosures