Bug Bounty

From TON Wiki (En)

Bug Bounty is a program that rewards professionals for testing computer programs for bugs and vulnerabilities. Bug Bounty participants, otherwise known as «white hat hackers», receive monetary rewards for finding vulnerabilities. The amount of payment is calculated base on how serious the bug found in the program is.

Origins

Jarrett Riedlinghafer, working at Netscape Communications Corporation, suggested to create a program to reward enthusiasts and IT specialists for identifying various bugs and vulnerabilities in projects. The corporation supported his concept and allocated $50,000 to develop and launch the program. The early program was publicly launched in 1995 and was a huge success.

In Russia, the first Bug Bounty was launched in 2012 by Yandex. The next one was in 2013 by VK. By 2020, there were many open Bug Bounty resources in Russia.

Bug Bounty Operation

There are two ways of working on this system: internal and platform.

Internal way

The internal method involves a company in need of identifying bugs in its product publishing information on its official website about starting a Bug Bounty program. Eager hackers work on the program. If they find a bug, they fill in a detailed report. The company reviews the report, fixes the bug, and after a second check to confirm the fix, pays the reward to the hacker. This method is often used by large corporations.

Platform way

A company registers on a special Bug Bounty platform, submits an application in which it describes its product, goals, conditions, and the amount of remuneration for finding bugs. The announcement is then published. Researchers (Bug Hunters) register on the platform, pass verification, and start working on the task. If vulnerabilities are found, they send a report on their work and the bugs found in the program, just like in the internal method. The client company, upon receiving the reports, checks, tests, and troubleshoots the issues before checking again. Based on the severity of the identified bug, the amount of remuneration is determined and paid to the Bug Hunters.

Bug Bounty in TON Blockchain

There are many different Bug Bounty programs available on TON (The Open Network) blockchain. Most of them are available on Github. There is also a resource, which provides information directly about the grant system in TON Ecosystem.

As of December 2024, there are several active Bug Bounty programs:

  1. STON.fi Bug Bounty program. Its fund is 200,000 $TON. The site has information about rewards. For example, for medium vulnerability the reward is 1,000 $TON, for high vulnerability — 2,000 $TON, and for critical vulnerability — up to 20,000 $TON. More information about the program on the STON.fi project can be found here.
  2. Getgems Bug Bounty program. It takes the form of a contest where you have to find significant bugs and vulnerabilities using manual testing. By "significant" flaws we mean the situation when the main functionality of the program suffers (impossibility to perform any actions in the application, incorrect operation, incorrect display of information). To participate, you need to share your Github account and TON wallet with @toncontests_bot to pay the reward in case of winning. After cross-checking all the bug and vulnerability reports, the top 5 are selected from them. The winning participants receive prizes in TON. The prizes are up to $500, depending on how highly the report is rated and how serious the bug is. All the details of this program here.
  3. The HackenProof Bug Bounty program. Designed to test the security of smart contracts and blockchain protocols. HackenProof works with most major exchanges and blockchains. A year ago, HackenProof announced a partnership with TON Foundation. The first to participate in the program were @TonDiamonds, @stonfidex, and @evaaprotocol.
  4. Also, TON Foundation launched a rewards program for finding bugs in the system. The rewards range from $150 to $5000. All program terms and conditions and necessary documentation can be found here.

Who can participate in the Bug Bounty?

Many skills are required to work in this field:

  • It is mandatory to know English (to familiarize yourself with information, read documentation and decipher it),
  • Programming skills (knowledge of Python, JavaScript, etc.),
  • It is also necessary to understand cybersecurity legislation,
  • Understand special programs that may come in handy when working with vulnerability detection,
  • Know what web development is, what network protocols are and what they are, know how to work with databases, etc.,
  • Be able to think logically and analyze data. This is necessary for proper organization of your work and interpretation of the result obtained in the process,
  • Documentation and communication skills.

There are courses available to teach the necessary «Bug Hunter» skills. For example, Awesome Ethical Hacking Resources. Here there is a lot of useful information as well as links to free courses. To put your skills into practice, there are many useful educational resources such as bWAPP virtual labs, HTB, TryHackMe, DVWA, and you can also participate in Capture the Flag (CTF) competitions.

Links

  1. HackenProof
  2. Bug Bounty TON
  3. Bug Bounty in TON blockchain
  4. Ton Whales Rewards Program
  5. Bug Bounty creation information
  6. Bot for registration in the program on TON blockchain
  7. Grants & Bounties – official website, detailed information
  8. Information for learning Bug Hunter skills and links to free courses
Retrieved from "https://tonwiki.space/index.php?title=Bug_Bounty&oldid=6942"