How to Create a Vulnerability Disclosure Program for Crypto Business

Valentine Osnovyanenko
Marketing Owner, HackenProof
4 Minutes Read

Why crypto business needs a vulnerability disclosure program

Crypto businesses are always targeted by malicious hackers. The attackers look into places like your business website or smart contracts.

When they find a critical vulnerability, they want to turn it into a jackpot. The most rewarding way is to exploit the bug, disappear, and hide all traces.

Crypto business owners are responsible for deterring hackers from causing financial & reputation blows. The most common approaches to this are vulnerability disclosure programs and bug bounties.

What is a vulnerability disclosure program?

The vulnerability disclosure program (VDP) is a set of rules for ethical hackers to report on discovered bugs. It is typically manifested as a web page with info like:

  • Issues to report (in-scope, focus)
  • Issues to ignore (out-of-scope)
  • Targets (websites, apps, smart contracts, API)
  • Submission form

VDP pages are meant to generate bug reports for the developers. However, having a prepared flow for dealing with goodwill bug reports is not enough to incentivize hackers. Good VDP pages include the rules of their bug bounty.

What is a bug bounty?

The bug bounty is a crowd-sourced cybersecurity program. It incentivizes the hackers to come out of the shadows and get legally rewarded for their hard work. The bigger the reward per bug, the easier it is for a hacker to report it.

How to create VDP for crypto business

How to list targets for VDP

Start off with the assets you want to secure. For a crypto business, these typically are:

  • smart contract (NFT, DEX, tokens)
  • blockchain network
  • mobile apps
  • website
  • API

For example, our own bug bounty lists only 1 target –

How to create VDP rules

For VDP rules, you need to express what kind of vulnerabilities you’re looking to fix. These would be the critical bugs that could take out your business. For example:

  • Remote code execution (RCE)
  • Sensitive data exposure (IDOR)
  • Server Side Request Forgery (SSRF)

For less important bugs, you can exclude them from the program. For example:

  • UI and UX bugs and spelling or localization mistakes
  • Publicly accessible login panels without proof of exploitation
  • HTTP codes/pages or other HTTP non-codes/pages

You can then write any additional information like:

  • Only the first valid bug is eligible for a reward
  • Don’t spam forms/fields
  • Don’t access or modify other user data

How to set up a VDP page in 7 steps using HackenProof

HackenProof is a crypto bug bounty platform. When you publish your bounty, you can copy and paste your embedded VDP widget onto your website. Follow these steps to get your VDP:

1. Head to the business sign-up page to sign up your company for free and verify your email:

2. When logged in, create a new program:

3. Inside the program page, fill in the details from your VDP page and set the bounty rewards:

4. Tick the VPD checkbox:

5. Click “publish” to send the bounty to the review team

If the “publish” button is not there, save it as a draft. Then, edit the program and the button will be there

6. Go to program profile:

7. Click on Program’s VPD iFrame to copy and send this info to your developers:

Read more on HackenProof Blog