|
Title: Security Bounty Post by: kiba on June 22, 2011, 01:02:32 PM How about creating a security bounty that incentivize white hat hackers to look for security flaws in bitcoin exchanges?
Title: Re: Security Bounty Post by: sakkaku on June 22, 2011, 01:06:10 PM You mean aside from the incentive to walk away with thousands of dollars worth of bitcoins?
Title: Re: Security Bounty Post by: hoo2jalu on June 22, 2011, 01:08:23 PM You mean aside from the incentive to walk away with thousands of dollars worth of bitcoins? Those are blackhat incentives. You need to make the incentive large for skilled whitehats to care. And really, looking for weakness after the fact is already a losing position. The exchanges need to build security in from the start, and actually have a process for secure development and operations that continues along with the exchange itself. No easy "let's just make a bounty" solutions for this problem.... Title: Re: Security Bounty Post by: sakkaku on June 22, 2011, 01:13:22 PM You mean aside from the incentive to walk away with thousands of dollars worth of bitcoins? Those are blackhat incentives. You need to make the incentive large for skilled whitehats to care. So you are saying you wouldn't take the chance at walking off with tends of thousands of dollars worth of hard to trace currency? The only difference between "white hat" and "black hat" is that one has decided the risk isn't worth the reward. Title: Re: Security Bounty Post by: ribuck on June 22, 2011, 01:39:17 PM How about creating a security bounty that incentivize white hat hackers to look for security flaws in bitcoin exchanges? That is a bounty for exchanges to offer, not for users to offer. There needs to be an incentive for the exchanges to minimize their payouts. Title: Re: Security Bounty Post by: hoo2jalu on June 22, 2011, 01:43:13 PM ... So you are saying you wouldn't take the chance at walking off with tends of thousands of dollars worth of hard to trace currency? Correct. I don't need to steal and greed doesn't motivate me. The only difference between "white hat" and "black hat" is that one has decided the risk isn't worth the reward. Not true. And if the only thing keeping you from unethical and malicious behavior is fear of punishment then you will never understand the mindset of those who don't make their decisions based on such selfish and simplistic arithmetic. Title: Re: Security Bounty Post by: gigitrix on June 22, 2011, 01:50:49 PM A majority of people have a sense of morality. Whether or not the incentive would "work" in converting a hacker is unknown, but it certainly works with companies like google. They offer $1337 for security vuln reporting which is a pittance compared to the gain of selling exploits on the black market, but they pay out in the majority of breaches: it usually isn't found in the wild.
Title: Re: Security Bounty Post by: hoo2jalu on June 22, 2011, 01:56:20 PM ... it certainly works with companies like google. They offer $1337 for security vuln reporting which is a pittance compared to the gain of selling exploits on the black market, but they pay out in the majority of breaches: it usually isn't found in the wild. This is a good point because reputation/accolades can be a far more valuable motivator than even the largest jackpot. That $1337 ("elite") payment from one of the biggest companies in the online business garners significant bragging rights far beyond the measly monetary value handed over. These no-name exchanges are operating from the opposite angle - they've got no clout or history and would need to compensate by upping the pot and/or adding other incentives. Not to mention, again, that a bounty on the end product is the wrong way to approach security. It can play a part, but effective security is a process that starts before development, continues through operations, and is continuously applied as long as the business remains a going concern. |