2022/9/28

Blockchain-based bug bounty framework

Lital Badash, Nachiket Tapas, Asaf Nadler, Francesco Longo, Asaf Shabtai

Proceedings of the 36th Annual ACM Symposium on Applied Computing, 239-248, 2021

Bug bounty programs are a popular solution for security researchers to disclose software vulnerabilities in exchange for compensation. They suffer, however, from two main drawbacks that limit their effectiveness: (i) they use a trusted intermediary that charges hefty commission fees and may have a conflict of interest with the software vendor, and (ii) they may mistreat security researchers by compensating less than guaranteed and no means to appeal against it. In this paper, we propose a permissioned Blockchain-based framework that addresses the drawbacks of existing bug bounty programs. The framework allows a confidential exchange of vulnerabilities and compensations using smart contracts. In cases of policy violation, security researchers can appeal to a trusted group of security experts called arbitrators, that can force the software vendors to compensate the security researchers fairly. A formal evaluation …