HackerOne and Crypto.com announce biggest ever bug bounty.
getty
With 100 million users across 90 countries worldwide, Singapore-based Crypto.com is one of the world’s biggest crypto trading platforms. As you might imagine, then, trust is a central pillar supporting everything the organization does, and the foundations of that trust are built around security and privacy. This security-first philosophy is highlighted in the promise that security and privacy are built into the business by design and default. “We drive a zero trust, defense in depth security strategy across our systems and platforms,” Crypto.com states, “to continually strengthen our security posture, we invest heavily in ongoing security and privacy awareness training for all staff.” And now it’s investing heavily in hackers, to the record-breaking tune of $2 million. Here’s what you need to know.
Crypto.com Ups The Ante When Investing In Hackers To Find Security Issues Before They Can Be Exploited By Cybercriminals
Crypto.com is not new to the world of bug bounty platforms; it has had a presence on the HackerOne platform since May 2018, after all. In that time, it has paid out a total of $539,130 in bounties to hackers, with the top bounty range, according to HackerOne’s own statistics, being in the $3,759 – $40,000 bracket. That could all be set to change, and how.
That existing bug bounty program is being updated so as to increase the maximum amount payable to hackers who are successful in finding certain types of security vulnerabilities is now a truly whopping $2 million. In case you need some perspective for just how important a milestone this is, it represents the biggest bug bounty ever offered by HackerOne since it was founded in 2012.
“Security and compliance are at the foundation of everything we do at Crypto.com,” Kris Marszalek, CEO of Crypto.com, said, “as our business and the industry continue to grow, it’s critically important that we remain focused on our core principles, and this new bounty program does that by setting a new bar.” Setting a new bar is something of an understatement in my opinion, this new bounty ceiling lays down a challenge to other organizations that asks how seriously do they really take security beyond the buzzwords and marketing?
Raising The Standard For How Organizations Should Engage With And Reward Hackers
If you are not used to the business of hacking then discovering that HackerOne has a chief hacking officer might come as something of a surprise, but here we are. That position his held by Chris Evans who is also the more commonly held chief information security officer. “The top programs on our platform do not just follow our best practices,” Evans said, “but continuously raise the standard for how all organizations should engage with and reward ethical hackers.”
Crypto.com has something of a track record when it comes security assurance, what with being the first “virtual asset platform” to gain multiple security certifications across all platforms. But chief information security officer, Jason Lau, said “while we have dedicated significant efforts to achieve top-tier security certifications, maintaining security assurance requires continuous focus and improvement.”
Which is why Crypto.com has been a respectful partner with the hacking community, which it sees as an extension to its internal security team, through the HackerOne platform. “Deepening our relationship with HackerOne through this milestone,” Lau concluded, “and setting this landmark bounty underscores our commitment to enhancing safeguards and consumer protection.”
Go Get ‘Em, Hackers—How To Earn That $2 Million Crypto.com Bounty
Which just leaves the question of whether any hackers have what it takes to grab that $2 million bounty? According to the rules of engagement for this extreme bounty range, the $2 million reward is for in-scope vulnerabilities against the platform that “could result in a significant loss of funds or a data breach.” What Crypto.com doesn’t do, however, is outline precisely what criteria need to be met as, it said, these are extreme edge cases. Broadly speaking, though, hackers might expect to get the big payout, in a combination of traditional fiat funds and cryptocurrencies, for finding vulnerabilities that “could result in a quick and immediate loss of over $1 million in funds” to Crypto.com or its users, or that could dump customer information en masse. Go get ‘em, hackers.
