Pay up or Get Hacked: Ineffective Bounty Programs Cost Platforms Big
According to recent news, a former Bounty Programs hunter named Steven Walbroehl stated that companies would not pay bounties and every so often downplay bug discoveries. He claims that bugs were not critical.
In the first few months of 2023, in the crypto space, hacks are so common. According to an estimation, lost digital assets of over $320 million. However, in exchange for a price, some exploiters are willing to return assets, according to the latest hacks. Some describe this process as a bounty bug with a criminal twist.
Key Takeaways:
- Ineffective bounties can be costly as hackers demand payment for returning stolen assets.
- Strong bug bounty programs can prevent hacks.
- Companies may not pay bug bounties, leading ethical hackers to feel cheated.
- Companies must incentivize developers with profitable and safe programs and prioritize fixing vulnerabilities.
- Ignoring minor bugs can have major consequences and playing with user deposits is not a responsible security strategy.
Crypto News announced on Twitter that, During the hack negotiation, why the companies with ineffective bonding programs paid a higher price. The author discussed the importance of an effective and strong bounty program to prevent such exploitation.
The three incidents of hackers remitting utilized funds in the decentralized Finance (DeFi) space observe in April. The Euler Finance team recovered funds on 4 April. The worth of recovered funds is $176.4 million. Euler Finance did this after offering the hackers ten percent of the stolen funds.
Moreover, Lending protocol Sentiments negotiate with hackers and recover almost millions of dollars from the stolen funds.
Recently, an attacker recovered $8.9 million from the DeFi protocol SafeMoon. He agrees to give back 80% of the funds to a hacker.
Through a profitable and safe bug bounty program, it is possible to avoid recent hacks. From the perspective of ethical and white hat hackers, the bounty offers results that may not provide any benefit.
However, the co-founder of the security firm Halborn, Steven Walbroehl, states that it is very common for companies to not take a risk and pay bug bounties. Sometimes he felt cheated by the bounty programs out of his time, according to a former bounty hunter named Walbroehl.
Furthermore, he interpreted that if you put yourself in the researcher’s shoes and find an exploit. This can help to create millions of dollars in stolen funds. But the developers offer a $ 5000 million reward which is a disproportionate amount of the incentives to not take the bounty.
x-news announced on Twitter regarding the hack negotiation. Then explains why the companies pay high for the ineffective bounty program.
Walbroehl also highlights that companies said bugs are not critical and will often downplay the discoveries. Furthermore, reporting bugs claims that their teams have located the bug already, leading the companies to not pay for any funds.
At blockchain security firm Certik, the senior product director, Simon Zhu, highlights that companies must create profitable and safe programs for developers.
Additionally, regarding vulnerabilities, Zhu advises projects to change their thinking. Cybersecurity executives said that some developer teams need to ignore minor bugs. This ignorance is necessary when the contract becomes more complex, and the cost of fixing the bug is high.
666 took to Twitter and announced that Simon Zhu, the executive of Certik, is not a responsible approach to playing chicken with user deposits. The Web3 minor vulnerabilities can become major overnight.
However, a minor vulnerability becomes a major one overnight, according to the Certik executive. Additionally, Zoe said that playing chicken with deposits of users is not an accountable long-term perspective for security.