How to Create a Vulnerability Disclosure Program for Crypto Business
Why crypto business needs a vulnerability disclosure program
Crypto businesses are always targeted by malicious hackers. The attackers look into places like your business website or smart contracts.
When they find a critical vulnerability, they want to turn it into a jackpot. The most rewarding way is to exploit the bug, disappear, and hide all traces.
Crypto business owners are responsible for deterring hackers from causing financial & reputation blows. The most common approaches to this are vulnerability disclosure programs and bug bounties.
What is a vulnerability disclosure program?
The vulnerability disclosure program (VDP) is a set of rules for ethical hackers to report on discovered bugs. It is typically manifested as a web page with info like:
- Issues to report (in-scope, focus)
- Issues to ignore (out-of-scope)
- Targets (websites, apps, smart contracts, API)
- Submission form
VDP pages are meant to generate bug reports for the developers. However, having a prepared flow for dealing with goodwill bug reports is not enough to incentivize hackers. Good VDP pages include the rules of their bug bounty.
What is a bug bounty?
The bug bounty is a crowd-sourced cybersecurity program. It incentivizes the hackers to come out of the shadows and get legally rewarded for their hard work. The bigger the reward per bug, the easier it is for a hacker to report it.
How to create VDP for crypto business
How to list targets for VDP
Start off with the assets you want to secure. For a crypto business, these typically are:
- smart contract (NFT, DEX, tokens)
- blockchain network
- mobile apps
For example, our own bug bounty lists only 1 target – hackenproof.com.
How to create VDP rules
For VDP rules, you need to express what kind of vulnerabilities you’re looking to fix. These would be the critical bugs that could take out your business. For example:
- Remote code execution (RCE)
- Sensitive data exposure (IDOR)
- Server Side Request Forgery (SSRF)
For less important bugs, you can exclude them from the program. For example:
- UI and UX bugs and spelling or localization mistakes
- Publicly accessible login panels without proof of exploitation
- HTTP codes/pages or other HTTP non-codes/pages
You can then write any additional information like:
- Only the first valid bug is eligible for a reward
- Don’t spam forms/fields
- Don’t access or modify other user data
How to set up a VDP page in 7 steps using HackenProof
HackenProof is a crypto bug bounty platform. When you publish your bounty, you can copy and paste your embedded VDP widget onto your website. Follow these steps to get your VDP: