• Recent hacks have proven that some exploiters are willing to return assets in exchange for a prize, a process that some describe as a bug-bounty program with a criminal twist.
• Companies often downplay bug discoveries and refuse to pay bounties, claiming that the bugs were not critical.
• Former bounty hunter Steven Walbroehl says companies sometimes offer disproportionately low rewards, which may lead to white hat or ethical hackers choosing not to take the bounty.
Recent hacks have proven that some exploiters are willing to return assets in exchange for a prize, a process that some describe as a bug-bounty program with a criminal twist. In April alone, there were at least three incidents of hackers returning exploited funds in the decentralized finance (DeFi) space. On April 4, the Euler Finance team was able to recover $176.4 million after offering the hacker 10% of the stolen funds. Similarly, lending protocol Sentiment was able to recover almost $1 million in stolen funds after negotiating with its hacker. More recently, the attacker who was able to take $8.9 million from DeFi protocol SafeMoon agreed to return 80% of the funds.
Bounties Not Worth It?
Steven Walbroehl, the co-founder of security firm Halborn, said that it’s very common for companies to refuse to pay out bug bounties and not take vulnerabilities reported very seriously. As a former bounty hunter, Walbroehl said that some bounty programs have left him “feeling cheated” out of his time. He explained: “Putting yourself in the shoes of a researcher, if you find an exploit that can create millions of dollars in stolen funds, but the developer is only offering a $5,000 reward, it can create a disproportionate amount of incentive to not take the bounty.” Walbroehl also said that companies would often downplay the discoveries, saying that they were not critical and sometimes even claim they had already located them by themselves so they wouldn’t need pay up on any bounties offered.
Incentives For White Hat Hackers
White hat or ethical hackers may be more likely to report bugs if they receive more appropriate rewards for their work and don’t feel like their efforts are being disregarded by companies. Simon Zhu, senior product director at blockchain security firm PeckShield noted: “It is important for projects/companies/organizations running bug bounty programs or receiving vulnerability reports from researchers/white hats directly provide incentives and recognition proportionate with respect.” He added: “Acknowledge researchers’ great efforts made during their research activities and timely award them substantial rewards after verifying issues found by them.” This could help encourage white hat hackers and provide an incentive for them do more responsible reporting without worrying about being taken advantage of by companies looking for free labor rather than paying fair wages for services rendered related hacking activities like identifying exploitable software faults and weaknesses..
Bug Bounty Programs Are Necessary
Bug bounty programs remain essential in ensuring digital asset safety since many organizations lack internal resources when it comes security testing despite facing increasing cyber threats on their networks every day due what seems like unstoppable wave malicious actors trying gain access sensitive data while remaining undetected as long possible until can cash out their profits earned during attack campaigns launched against unsuspecting victims.. Bug bounty programs exist protect organizations from such attacks through incentivizing external experts find potential flaws software systems before bad actors do same thus preventing huge financial losses caused these kinds events happening first place..
While recent hacks could’ve theoretically been avoided through safe and profitable bug-bounty programs they may be result offers not being worth it from perspective white hat ethical hacker since companies tend downplay discoveries refuse pay out bounties claiming bugs were not critical also making false claims about having already located issue themselves order avoid payment due.. It is therefore essential organizations provide adequate incentives recognition researchers who put effort into helping improve security systems order ensure all parties involved benefit most effective way possible together creating safer environment everyone involved crypto space especially users digital assets..