Vulnerability reward programs, a.k.a. bug bounties, are a near-universal component of major software security programs. Today, though, such programs have three major deficiencies. They fail to provide strong technical (or other) assurances of fair payment for reported bugs, lack rigorous principles for setting bounty amounts, and can only effectively incentivize economically rational hackers to disclose bugs by offering rich bounties. As a result, rather than reporting bugs, hackers often choose to sell or weaponize them.
We offer a novel, principled approach to administering and reasoning about bug bounties that cost-effectively boosts incentives for hackers to report bugs. Our key idea is a concept that we call an exploit gap. This is a transformation of program code that prevents a serious bug from being exploited as a security-critical vulnerability. We focus on a broadly applicable realization through a variant of the classic idea of N-version programming. We call the result a hydra program.
As our main target application, we explore smart contracts, programs that execute on blockchains. Because smart contracts are often financial instruments, they offer a springboard for our rigorous framework to reason about bounty price setting. By modeling an economically rational hacker's bug-exploitation, we show how hydra contracts greatly amplify the power of bounties to financially incentivize disclosure. We also show how smart contracts can separately enforce fairness for bug bounties, guaranteeing payment for correctly reported bugs.
We present a survey of well-known exploits to-date against Ethereum smart contracts, showing that multi-language hydra programming would have abated most of them. We also report on implementation of hydra Ethereum contracts.
Bio: Ari Juels is a Professor at Cornell Tech (Jacobs Institute) in New York City, and Computer Science faculty member at Cornell University. He is a Co-Director of the Initiative for CryptoCurrencies and Contracts (IC3). He was formerly Chief Scientist of RSA (The Security Division of EMC). His recent areas of interest include blockchains, cryptocurrency, and smart contracts, as well as applied cryptography, cloud security, user authentication, and privacy. Visit www.arijuels.com for more info.