Crowdsourced IT security startup CrowdCurity has created a new bug bounty programme with a unique twist.
Titled Capture the Coin, the programme is inspired by the well-known capture the flag game, and aims to reward security researchers for locating private bitcoin keys hidden within the front-end of web platforms.
CrowdCurity is testing the idea on its own website to start with, and is kicking it off as a competition with bitcoin for prizes.
Jacob Hanson, CEO of CrowdCurity, told CoinDesk:
âWe find it an interesting approach to basically test the security of our own platform.â
For the contest, CrowdCurity created three paper wallets that store the bitcoin offline. Each is in different amounts, based on the perceived value of the possible security intrusion that the vulnerability represents.
The private keys to those wallets, however, are hidden within their websiteâs code awaiting discovery â for those with sufficient skills.
There are three different rewards: the 1.5 BTC Nakamoto Reward, the 1BTCÂ Dorian Reward and the 0.5 BTCÂ Scytale reward. furthermore, each has its own clues to aid the researchers, which are detailed on the companyâs blog.
Each reward is for a very specific vulnerability, making this a rather different bug bounty programme than normal. For example, Googleâs bug reward scheme has a chart it uses to calculate rewards.
CrowdCurity wants to experiment with a more competitive reward style with Capture the Coin.
Said Hansen:
â[With bitcoin] you can put a monetary value on vulnerabilities. Most companies give away prizes based on levels, but Capture the Coin offers better granularity and adjustments for rewards programs.â
In the differing bitcoin amounts, CrowdCurity has set a specific a value for vulnerabilities of differing hardness levels. For example, the first place 1.5 BTC Nakamoto Reward should be one thatâs a significantly tougher nut to crack, since only CrowdCurity should already know about it.
Hansen believes that creating a marketplace for vulnerabilities by using private keys for bitcoin wallets could change the way that security researchers compete in bug bounty programmes:
âWe have different amounts in each of these different private keys. The different amounts correspond to the criticality of the bugs that the company actually sees in the system.â
And if someone finds the private key, possession of the wallet is instant. Thereâs no waiting for someone to decide on a reward like in regular bug bounty schemes.
The block chainâs ability to publicly display all transactions means that, in theory, future security systems using Capture the Coin-style cryptocurrency rewards could offer more transparency.
Hansen says the block chain is, âan intrusion detection system where we can monitor bitcoin addresses and see if private keys are being usedâ.
Most intrusion detection systems in IT security are passive in nature â designed to wait for a certain threshold to be violated, and then a warning notification is issued.
With block chain-based transaction monitoring, a more reactive system might be possible to quickly mitigate an intrusion.
Explained Hansen:
âBeing able to monitor movements on [a bitcoin] account is actually a very reactive system. You can build a certain chain of reactions once you see a certain movement take place [on the block chain].â
CrowdCurityâs main business strategy has been crowdsourcing IT security rewards to get results, instead of paying expensive consultants for time, which it views as a disruptive industry approach.
The latter is a model that the company says many bitcoin companies are using, which make up around a half of CrowdCurityâs current customer base.
No business is ever completely protected against security threats, and because thefts and security breaches are on the rise, innovative methods to help thwart intruders are necessary.
53% of mid-size and larger businesses spent more on security in 2013. Source: TechTargetCapture the Coin is CrowdCurityâs test to see how bitcoin can help harden front-end web security as part of its business.
âHopefully in the future we will be able to provide this as a service to customers,â said Hansen.
Using cryptocurrency to incentivize and make security issues more transparent seems like a logical extension of CrowdCurityâs crowdsourcing business model.
Private keys for bitcoin wallets embedded in websites could end up being used as âhoney potsâ â an IT security tactic designed to entice possible thieves in order to track down them and catch them in the act.
And the tracking method for this honey pot could use the power of the block chainâs ledger, something that has not been possible before.
Said Hansen:
âNow we have programmable money. And you can do this kind of stuff in security that could not be done earlier.â
âYou canât do this with PayPal. You canât do this with regular money. Itâs very, very interesting,â he added.
Bitcoin code image via Shutterstock
