TRON cryptocurrency raises bug bounty cap to $10 million
With its own mainnet launch coming up, TRON has billions of reasons to double down on bug hunting.
On 31 May 2017, in the lead up to TRON's mainnet launch, the cryptocurrency project raised its bug bounty cap to $10 million. Assuming it has any intention of ever paying out that much, it might be one of the larger bug bounties in existence.
"We are looking for developers who specialize in global network security to help make TRON MainNet one of the most secure public blockchains in the industry and provide a stable infrastructure for future DApps to be deployed on the MainNet," said Justin Sun, founder of the TRON foundation. "We take the security of our platform very seriously."
The raised cap comes around the same time as EOS is being inundated with bug findings during its mainnet launch, even with only a $10,000 per bug program. However, most of them aren't devastating bugs. The most notable exception is probably last week's finding of a program-shattering vulnerability which would have let anyone take over all EOS nodes and run them like cyber sock-puppets.
It's not clear whether the discover of that issue got the standard $10,000 rate or more. That kind of issue is definitely worth a bonus.
These findings might have spurred TRON to raise its bug bounty. If a system has troubles like that, it's imperative that they're found before launch.
Do bug bounties work?
TRON and EOS aren't the only coins to run a bug bounty. Offering bounties has been a common practice among reputable coins, and an uncommon practice among disreputable coins, for a long time.
Exchanges are also getting into it. Binance, for example, offers a bug bounty and has also set aside a $10 million bounty for information leading to the arrest of less socially responsible hackers.
Coinbase has its own bug bounty, albeit typically for much smaller amounts.
"Coinbase loves bug bounties," said Philip Martin, Coinbase head of security in a blog post. "We think they fundamentally change the economics of vulnerability reporting. Instead of a researcher facing a choice between using a vulnerability themselves, selling a vulnerability to 3rd parties or giving a vulnerability away for free, bounties present a good, legal, risk-adjusted return for the time invested by a researcher. Bounties de-criminalize the actions of good-faith security researchers, while still forbidding malicious hacking. Bounties help grow the next generation of security talent. We love bounties..."
Bug bounties don't turn up as many tire-kickers as one might expect either.
In the case of Coinbase, about half of reports are not applicable, while outright spam only makes up a tiny fraction. A full third are either informative and potentially bounty-worthy or serious problems that need to be fixed ("resolved").
It's not always confined to cryptocurrency either. Coinbase bounty hunters have also turned up problems with its integration of PayPal, for example. The more complex a system is and the more things it integrates with, the more potential issues it has.
And as EOS has recently shown, it's entirely possible for numerous and devastating bugs to fly under the radar for a long time. Rich bounties simply put a lot more eyeballs on a project, and in many ways sheer attention is the essence of cybersecurity.
By theoretically offering a bug hunter the theoretical possibility of a $10 million payday, TRON might be drawing a lot of attention from suitably experienced bounty hunters.
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and NANO.