A bug bounty or bug bounty program is a reward for finding and reporting a bug in a particular software product.
The bounty programs attract a wide range of white hat hackers. These have different skill sets that give businesses a varied outlook into their own ecosystem and potential attack surface.
A protocol can use a bug bounty program to use a vast and growing network of bounty hunters. This way, they can identify and resolve potential bugs before they become serious or exploited. Preferably even before the smart contracts are deployed on mainnet.
The impact of the potential vulnerability determines the payout. The protocol creators predetermine the classification of the vulnerabilities and the connected bounties.
There are specialized companies that help set up bug bounty programs. The most well-known is Immunefi, an ease partner.
Until early 2021 Bug bounties were rare and possibly many white hat hackers turned black hat. It’s a moral dilemma: should I report a possible hack or exploit and get a measly few thousand $? Or should I actively abuse the found problems and gain maybe hundreds of millions of dollars in value?
Armor/ease started the AABBC with Immunefi and several of the top DeFi protocols early 2021 and kept it running for a year. This boosted the awareness of the importance of bug bounties. Not as a replacement, but as a very worthy addition to just an audit.
« Back to Glossary Index