Abstract
Bug Bounty Programs (BBPs) play an important role in providing and maintaining security in software applications. These programs allow testers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. However, they have shown problems such as organizations providing accountability of reporting bugs and nonrecognition of testers. In this paper, we discuss Bountychain, a decentralized application using Ethereum-based Smart Contracts (SCs) and the Interplanetary File System (IPFS), a distributed file storage system. Blockchain and SCs provide a safe, secure and transparent platform for a BBP. Testers can submit bug reports and organizations can accept or reject the defect via the SCs. Transactions on the blockchain serve as a persistent and transparent record of software bugs, while IPFS serves as a long-term storage system for bug details. Thus, Bountychain ensures organization accountability and allows testers to gain irrefutable recognition.
Article PDF
Avoid common mistakes on your manuscript.
References
A. Hoffman, E. Becerril-Blas, K. Moreno, Y. Kim, Decentralized security bounty management on blockchain and IPFS, 2020 10th Annual Computing and Communication Workshop and Conference (CCWC), IEEE, Las Vegas, NV, USA, 2020, pp. 241–247.
E. Friis-Jensen, The history of bug bounty programs, Medium, 2014. Available from: https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3 (accessed October 22, 2019).
M.A. Davidson, No, you really can’t, Oracle, 2015. Available from: https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t (accessed October 22, 2019).
B. Chappell, Uber pays $148 million over yearlong cover-up of data breach, NPR, 2018. Available from: https://www.npr.org/2018/09/27/652119109/uber-pays-148-million-over-year-long-cover-up-of-data-breach (accessed October 22, 2019).
National Conference of State Legislatures, Security breach notification laws, 2020. Available from: https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx (accessed September 18, 2020).
B. Zhou, I. Neamtiu, R. Gupta, Experience report: how do bug characteristics differ across severity classes: a multi-platform study, 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE), IEEE, Gaithersbury, MD, USA, 2015, pp. 507–517.
A. Canidio, G. Costa, L. Galletta, VeriOSS: using the blockchain to foster bug bounty programs, 2nd International Conference on Blockchain Economics, Security and Protocols, Schloss Dagstuhl, Germany, 2021, pp. 1–14.
A. Hoffman, H. Berghel, Moral hazards in cyber vulnerability markets, Computer 52 (2019), 83–88.
L. Breidenbach, P. Daian, F. Tramèr, A. Juels, Enter the hydra: towards principled bug bounties and exploit-resistant smart contracts, Proceedings of the 27th USENIX Conference on Security Symposium, 2018, pp. 1335–1352.
Y. Wang, R. Samavi, N. Sood, Blockchain-based marketplace for software testing, 2019 17th International Conference on Privacy, Security and Trust (PST), IEEE, Fredericton, NB, Canada, 2019, pp. 1–3.
Uppsala Security, Protect Your Cryptocurrencies with Advanced Software Solutions from Uppsala Security! Available from: https://uppsalasecurity.com/ (accessed October 22, 2019).
Google Application Security, Google Security Reward Programs. Available from: https://www.google.com/about/appsecurity/programs-home/ (accessed October 22, 2019).
Facebook, Whitehat program. Available from: https://www.facebook.com/whitehat (accessed October 22, 2019).
Microsoft, Microsoft bug bounty program. Available from: https://www.microsoft.com/en-us/msrc/bounty (accessed October 22, 2019).
Hackerone, Hacker-powered security testing & bug bounty. Available from: https://www.hackerone.com/ (accessed September 20, 2020).
Bugcrowd, Crowdsourced cybersecurity platform. Available from: https://www.bugcrowd.com/ (accessed September 20, 2020).
Cobalt, Pentest as a service. Available from: https://cobalt.io/ (accessed September 20, 2020).
S.S. Malladi, H.C. Subramanian, Bug bounty programs for cybersecurity: practices, issues, and recommendations, IEEE Softw. 37 (2020), 31–39.
H. Fryer, E. Simperl. Web Science Challenges in Researching Bug Bounties, Proceedings of the 2017 ACM on Web Science Conference (WebSci ’17), Association for Computing Machinery, New York, NY, USA, 2017, pp. 273–277.
S. Nakamoto, Bitcoin: a peer-to-peer electronic cash system, Bitcoin.org, Oct. 2008. Available from: https://bitcoin.org/bitcoin.pdf (accessed October 21, 2019).
T.K. Sharma, Public vs. private blockchain : a comprehensive comparison, Blockchain Council. Available from: https://www.blockchain-council.org/blockchain/public-vs-private-block-chain-a-comprehensive-comparison/ (accessed October 5, 2020).
K. Liu, Token economics #2: comparison review of token economy, Hackernoon, 2019. Available from: https://hackernoon.com/token-economics-2-comparison-review-of-token-economy-8759dd70783 (accessed October 4, 2020).
The Linux Foundation, Hyperledger fabric. Available from: https://www.hyperledger.org/use/fabric (accessed September 27, 2020).
Corda, Open source blockchain platform for business. Available from: https://www.corda.net/ (accessed September 27, 2020).
ConsenSys, ConsenSys quorum. Available from: https://consensys.net/quorum/ (accessed September 27, 2020).
G. Sagirlar, B. Carminati, E. Ferrari, J.D. Sheehan, E. Ragnoli, Hybrid-IoT: hybrid blockchain architecture for internet of things - PoW sub-blockchains, 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), IEEE, Halifax, NS, Canada, 2018, pp. 1007–1016.
Z. Liu, S. Tang, S.S.M. Chow, Z. Liu, Y. Long, Fork-free hybrid consensus with flexible proof-of-activity, Futur. Gener. Comput. Syst. 96 (2019), 515–524.
S. Zhu, Z. Cai, H. Hu, Y. Li, W. Li, zkCrowd: a hybrid block-chain-based crowdsourcing platform, IEEE Trans. Ind. Inform. 16 (2020), 4196–4205.
D. Freuden, Hybrid blockchain: the best of both chains, Hackernoon, 2018. Available from: https://hackernoon.com/hybrid-blockchain-the-best-of-both-chains-78518507449a (accessed September 25, 2020).
G. Wood, Ethereum: a secure decentralised generalised transaction ledger, Ethereum Proj. Yellow Pap., 2014, pp. 1–39.
Ethereum Foundation, ethereum/solidity: solidity, the contract-oriented programming language, Github. Available from: https://github.com/ethereum/solidity (accessed October 5, 2020).
V.P. Ranganthan, R. Dantu, A. Paul, P. Mears, K. Morozov, A decentralized marketplace application on the ethereum block-chain, 2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC), IEEE, Philadelphia, PA, USA, 2018, pp. 90–97.
Ethereum, “ethereum/web3.js: Ethereum JavaScript API,” Github, 2014. Available from: https://github.com/ethereum/web3.js/ (accessed October 4, 2020).
J. Benet, IPFS-content addressed, Versioned, P2P File System, [Online], 2014. Available from: https://arxiv.org/abs/1407.3561 (accessed September 21, 2020).
Q. Zheng, Y. Li, P. Chen, X. Dong, An innovative IPFS-based storage model for blockchain, 2018 IEEE/WIC/ACM International Conference on Web Intelligence (WI), IEEE, Santiago, Chile, 2018, pp. 704–708.
A. Davis, D. Finlay, MetaMask, ConsenSys, 2016. Available from: https://metamask.io/index.html (accessed October 4, 2020).
B. Darnell, Facebook, B. Taylor, Tornado Web Server, 2009. Available from: https://www.tornadoweb.org/en/stable/ (accessed October 4, 2020).
Hfaran, Tornado-JSON: a simple JSON API framework based on Tornado, Github, 2013. Available from: https://github.com/hfaran/Tornado-JSON (accessed October 4, 2020).
V. Buterin, A next generation smart contract & decentralized application platform, [Online], 2015. Available from: https://ethereum.org/en/whitepaper/ (accessed September 21, 2020).
T. Chen, Z. Li, H. Zhou, J. Chen, X. Luo, X. Li, et al., Towards saving money in using smart contracts, 2018 IEEE/ACM 40th International Conference on Software Engineering: New Ideas and Emerging Technologies Results (ICSE-NIER), IEEE, Gothenburg, Sweden, 2018, pp. 81–84.
Author information
Authors and Affiliations
Corresponding author
Additional information
Data availability statement: The data that support the findings of this study are available from the corresponding author, [AH] upon reasonable request
Rights and permissions
This is an open access article distributed under the CC BY-NC 4.0 license (http://creativecommons.org/licenses/by-nc/4.0/).
About this article
Cite this article
Hoffman, A., Austria, P., Park, C.H. et al. Bountychain: Toward Decentralizing a Bug Bounty Program with Blockchain and IPFS. Int J Netw Distrib Comput 9, 86–93 (2021). https://doi.org/10.2991/ijndc.k.210527.001
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.2991/ijndc.k.210527.001