Rob Behnke
January 30th, 2023
Web3’s emphasis on open-source code, the relative immaturity of blockchain technology, and the ability to steal and launder crypto-assets without leaving a trace can all make it difficult to secure blockchain applications.
All of this presents a tough situation for Web3 projects and crypto-native organizations, increasing the pressure on cybersecurity teams to discover and fix vulnerabilities before malicious actors can exploit them and cause massive losses for users.
Fortunately, traditional cybersecurity provides many tools which companies in the emerging Web3 industry can use to secure critical assets and systems. One such example is the vulnerability disclosure program (or VDP), which we discuss in this article.
A vulnerability disclosure program is designed to streamline the process of finding and notifying organizations of vulnerabilities in software systems. Vulnerability disclosure programs target members of the cybersecurity community and provide a clear framework for security researchers and ethical hackers to assist companies in detecting and remediating software flaws.
Although VDPs are fairly new to Web3, traditional companies have long used them to proactively secure mission-critical systems. A vulnerability disclosure program lets hackers responsibly disclose bugs and gives developer teams enough room to develop a patch before the information leaks.
Why is responsible disclosure important? Full disclosure (disclosing details of a vulnerability as soon as it’s discovered) may raise awareness among users, but it also alerts cybercriminals to the possibility of exploiting disclosed vulnerabilities. Also, prematurely sharing such sensitive information (e.g., details of a severe bug) can also damage the company’s brand and diminish the trust of users.
Community participation in protocols and ethical hacking are part of Web3, making vulnerability disclosure programs ideal for blockchain applications. And with more value pouring into Web3 applications, VDPs can be a powerful addition to any crypto-native organization’s security toolbox. But before blockchain companies can start taking advantage of VDPs, it is important to know how to craft a vulnerability disclosure policy.
A vulnerability disclosure policy outlines an organization’s approach to accepting, evaluating, and remediating vulnerabilities disclosed by third parties. Because vulnerability disclosure is a sensitive issue, a well-crafted policy is required to make vulnerability disclosure programs successful.
Typically, a vulnerability disclosure policy will include the following components discussed below. (If you need a specific example from a blockchain project to grasp these concepts, we recommend reading Flow’s responsible disclosure policy.)
The vulnerability disclosure policy starts with a brand promise statement highlighting the organization’s commitment to security and willingness to collaborate with the security community. The promise statement also states why the disclosure program exists and what objectives it is designed to achieve.
Due to fear of legal repercussions, ethical hackers may hesitate to disclose vulnerabilities to companies or opt for a full disclosure instead. Companies resolve this problem by explicitly promising not to take legal action if the researcher’s activities are done “in good faith”.
The safe harbor discusses under what circumstances the organization will avoid pursuing legal action against individuals who discover vulnerabilities. This often involves setting out guidelines for the process of ethical hacking and bug hunting (more on this below). By following the guidelines listed in the policy, security researchers can avoid getting sued by companies for their actions.
While companies encourage ethical hacking, they may discourage the use of certain methods for detecting vulnerabilities. Policy guidelines state which means of obtaining information about vulnerable systems is permissible, among other things.
For example, a crypto-native company (e.g., an exchange) may prohibit using testing methods that hinder productivity or affect day-to-day operations, such as Distributed Denial of Service (DDoS) attacks. Similarly, a DeFi project’s VDP may also exclude social engineering attacks—like compromising wallets of key personnel through phishing attacks.
This section describes what assets and systems are within the scope of the vulnerability disclosure program. Certain areas may be categorized as off-limits to ethical hacking campaigns for different reasons. For example, a blockchain might accept vulnerability disclosures related to the underlying consensus or execution infrastructure but reject reports containing vulnerabilities in an application built on top of it.
The program scope also improves productivity by stating which types of vulnerabilities are unacceptable (to avoid hackers wasting time on finding certain bugs). Moreover, clearly stating which parts of the company’s infrastructure ethical hackers can target reduces the possibility of the latter facing legal action.
The vulnerability disclosure policy details how security researchers can notify the team of bugs. Common forms of submission include sending messages to a dedicated email address or completing a secure form online.
The process description may also include other details to guide vulnerability disclosure. For example, a project may require a description of the bug’s location, steps to reproduce the bug, the severity of the bug, and other details needed to patch the vulnerability.
The final section of a vulnerability disclosure policy typically outlines an organization’s preferences related to the evaluation and prioritization of vulnerability reports. For instance, it may include response timelines and how long security researchers should wait before disclosing a vulnerability publicly.
There are no hard and fast rules around the ideal remediation period, and such decisions will need to be taken on a case-by-case basis. Nevertheless, it is important to have clear information around communication timelines as non-communication may frustrate Web3 security researchers and encourage premature full disclosure possibly before a fix can be applied.
For crypto businesses handling enormously valuable assets, a vulnerability disclosure program provides some protection against catastrophic exploits. Ethical hackers can adopt a cybercriminal’s mindset and look for hidden bugs that can be exploited for profit. However, they also responsibly disclose bugs found to the appropriate communication channels early enough to avert disaster.
Other benefits of running a vulnerability disclosure program for your Web3 company include:
Improves security posture in organizations. A vulnerability disclosure program can provide information about commonly reported vulnerabilities (ranked by severity) and average remediation times. Such insights can form the foundation of a plan to map out the company’s attack surface and take proactive measures aimed at preempting certain types of attacks.
Provides an easy and organized approach to analyzing and remediating vulnerabilities. In the absence of a vulnerability disclosure program, it may be difficult to collaborate with security researchers to fix flaws. Lack of clarity around vulnerability disclosure policies may push ethical hackers away from responsible disclosure to public disclosure of vulnerabilities in smart contracts.
With a VDP in place, companies can receive and track bug submissions, analyze reports efficiently, and engage in transparent communication with ethical hackers and security researchers. This makes it easier to manage security incidents and improves overall safety for users.
Most companies choose to either set up and manage vulnerability disclosure programs using in-house resources and infrastructure. However, an increasingly common trend is to use a third-party platform for a managed approach to VDPs.
Your organization or project may start a VDP by setting up an email (usually security@example.com) for accepting security-related reports from independent security professionals. Another step would be to include a link to a detailed vulnerability disclosure policy document on the project’s website. Finally, a VDP form posted publicly on the project’s website shows a commitment to proactive security and fosters healthy relationships with the security research community.
Third-party platforms like Bugcrowd and HackerOne are an alternative to running your VDP in-house. Outsourcing the task of setting up a vulnerability disclosure program improves productivity and frees your security team from handling administrative tasks. Moreover, these platforms provide a centralized dashboard for accepting and triaging bug reports, tracking other details (like frequency of submissions), and communicating with ethical hackers.
Whether you’re running a vulnerability disclosure program in-house or using a SaaS tool, it is important to have a plan that defines key details such as the program’s objectives and scope.
Blockchain technology provides novel security challenges for Security Operations (SecOps) teams. Harnessing the advantages of crowdsourced ethical hacking can, however, improve the odds of safeguarding blockchain applications from costly attacks. Vulnerability disclosure programs are key to this objective and must become a security standard in the crypto industry. Halborn has participated in several vulnerability disclosures, including disclosing the MetaMask “demonic vulnerability” and Flow blockchain bug.
Need help with managing a vulnerability disclosure program or have a bug to disclose? Contact our Web3 security team at halborn@protonmail.com.