TRON cryptocurrency raises bug bounty cap to $10 million

Posted: 6 June 2018 1:25 pm
shutterstock computer bug virus 450x250

With its own mainnet launch coming up, TRON has billions of reasons to double down on bug hunting.

On 31 May 2017, in the lead up to TRON's mainnet launch, the cryptocurrency project raised its bug bounty cap to $10 million. Assuming it has any intention of ever paying out that much, it might be one of the larger bug bounties in existence.

"We are looking for developers who specialize in global network security to help make TRON MainNet one of the most secure public blockchains in the industry and provide a stable infrastructure for future DApps to be deployed on the MainNet," said Justin Sun, founder of the TRON foundation. "We take the security of our platform very seriously."

The raised cap comes around the same time as EOS is being inundated with bug findings during its mainnet launch, even with only a $10,000 per bug program. However, most of them aren't devastating bugs. The most notable exception is probably last week's finding of a program-shattering vulnerability which would have let anyone take over all EOS nodes and run them like cyber sock-puppets.

It's not clear whether the discover of that issue got the standard $10,000 rate or more. That kind of issue is definitely worth a bonus.

These findings might have spurred TRON to raise its bug bounty. If a system has troubles like that, it's imperative that they're found before launch.

Do bug bounties work?

TRON and EOS aren't the only coins to run a bug bounty. Offering bounties has been a common practice among reputable coins, and an uncommon practice among disreputable coins, for a long time.

Exchanges are also getting into it. Binance, for example, offers a bug bounty and has also set aside a $10 million bounty for information leading to the arrest of less socially responsible hackers.

Coinbase has its own bug bounty, albeit typically for much smaller amounts.

"Coinbase loves bug bounties," said Philip Martin, Coinbase head of security in a blog post. "We think they fundamentally change the economics of vulnerability reporting. Instead of a researcher facing a choice between using a vulnerability themselves, selling a vulnerability to 3rd parties or giving a vulnerability away for free, bounties present a good, legal, risk-adjusted return for the time invested by a researcher. Bounties de-criminalize the actions of good-faith security researchers, while still forbidding malicious hacking. Bounties help grow the next generation of security talent. We love bounties..."

Bug bounties don't turn up as many tire-kickers as one might expect either.

In the case of Coinbase, about half of reports are not applicable, while outright spam only makes up a tiny fraction. A full third are either informative and potentially bounty-worthy or serious problems that need to be fixed ("resolved").

It's not always confined to cryptocurrency either. Coinbase bounty hunters have also turned up problems with its integration of PayPal, for example. The more complex a system is and the more things it integrates with, the more potential issues it has.

And as EOS has recently shown, it's entirely possible for numerous and devastating bugs to fly under the radar for a long time. Rich bounties simply put a lot more eyeballs on a project, and in many ways sheer attention is the essence of cybersecurity.

By theoretically offering a bug hunter the theoretical possibility of a $10 million payday, TRON might be drawing a lot of attention from suitably experienced bounty hunters.

Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and NANO.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get into cryptocurrency

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Go to site