web analytics

How Crypto and Blockchain Organizations Manage Complex Attack Surfaces With Competitive Security Testing Programs – Source:www.hackerone.com

how-crypto-and-blockchain-organizations-manage-complex-attack-surfaces-with-competitive-security-testing-programs-–-source:wwwhackerone.com
Rate this post

Source: www.hackerone.com – Author: HackerOne.

Crypto and blockchain organizations are among the most progressive, and often the first to adopt new technological developments and solutions to improve their processes. And with so much customer data and money on the line, web3 has become one of the most aggressive industries when it comes to continuous security testing.

There are three factors that differentiate crypto and blockchain organizations from other industries; their attack surfaces, their most common vulnerabilities, and the amount they spend on bug bounty rewards. 

  1. Valid vulnerabilities: The total number of valid vulnerabilities for crypto and blockchain organizations is up significantly compared to the cross-industry average, but the number of high- and critical-severity vulnerabilities is down.
  2. Most common vulnerabilities: While the most common vulnerabilities are pretty consistent for most industries, web3’s most common vulnerability—business logic errors—is one of the lowest for every other industry.
  3. Bounty spend: The bounty spend by crypto and blockchain organizations across all severity levels far exceeds the cross-industry average.

Which vulnerabilities most plague crypto and blockchain organizations? Why do these companies significantly outpay other industries in bounty rewards? How are web3 organizations engaging with security researchers to secure their assets? Let’s analyze the data.

How Many Vulnerability Reports Do Crypto and Blockchain Organizations Get?

Despite the investment in security, and industry calls for better security practices earlier in the software development life cycle (SDLC), we see steady increases in vulnerability reports year over year. While valid vulnerabilities on the HackerOne Platform jumped 12% across industries over the past year, we saw a 147% increase in crypto and blockchain.

When it comes to high- and critical-severity reports, however, crypto and blockchain are trending down: 24% of the industry’s vulnerabilities are rated high or critical, down 35% from 2023. 

The overall decrease in higher-severity reports in web3 is likely related to the increase in security researchers submitting reports to web3 programs (up 67%); crypto organizations have made a major effort to better engage the researcher community, and more researchers mean more reports for low-hanging fruit. While organizations in crypto and blockchain are making efforts to reduce vulnerability reports by identifying trends and putting measures in place to catch bugs earlier in development, we do expect vulnerability reports to keep rising as more organizations invest in security testing.

Web3’s Most Common Vulnerability: Business Logic Error

The top ten security vulnerabilities by industry

Most industries are still seeing the most common vulnerabilities, like cross-site scripting, reported again and again — not so with crypto and blockchain. One major outlier is the high rate of business logic errors compared to the cross-industry average. While business logic errors account for only 2% of reports across industries, they account for 10% of web3 reports. The average bounty spend across industries on business logic errors is only 4%, but web3 organizations spend 45% of their bounty budget on these vulnerabilities. 

Why? With crypto and blockchain organizations’ complex, experimental business models and intricate transaction mechanisms, it’s tough to secure against edge cases or unintended uses.

For example, smart contracts are incredibly complicated—they run on the blockchain, execute automatically, and are visible to everyone. Once deployed, they’re also immutable, meaning any flaws or logic errors are hard to fix. These vulnerabilities can lead to financial loss, making them prime targets for bug bounty hunters.

“People can see every interaction that takes place in a smart contract. They have a lot of complexity, which greatly increases the attack surface for business logic issues.”

Dane Sherrets
Staff Innovations Architect, Emerging Technologies, HackerOne

Top ten vulnerabilities for crypto and blockchain organizations

How Much Do Crypto and Blockchain Organizations Pay for a Bug?

Average bounty payouts for web3 organizations have increased significantly over the last year, reaching an average of nearly $70,000 in 2024. The stark difference in bounty rewards for cryptocurrency and blockchain versus all other industries is directly related to the amount of money at risk within these organizations. When hundreds of millions of dollars are on the line, you need to incentivize the best researchers in the world to secure your systems—and cryptocurrency organizations are doing so by paying out bounties 182% higher than the cross-industry average. 

“If you have $100 million at risk, you want to incentivize the best researchers in the world to help secure it. If I’m a security researcher capable of finding bugs that would let me steal $100 million, it would be dangerous to only offer $5,000 to report that vulnerability.”

Dane Sherrets
Staff Innovations Architect, Emerging Technologies, HackerOne

Bounties are typically even more competitive in the high- and critical-severity vulnerability category. The average bounty for high and critical vulnerabilities in crypto and blockchain organizations is $133,700, 190% higher than the average across industries.

With so much sensitive data at risk in these industries, competitive rewards for the most severe findings are essential, as high and critical vulnerabilities make up 24% of reports for organizations across this sector. 

Bounty Budget Recommendations for Crypto and Blockchain Organizations

  • Make a strong business case for your budget that speaks to the priorities of your stakeholders and board members. Check out the Measuring Success section of the full Hacker-Powered Security Report to see how the most security-resilient organizations are making the financial case for their bounty budgets using a return on mitigation (ROM) approach.
     
  • Take a tiered-award approach, with bounty awards weighted by asset type. Bounty award amounts can be adjusted to incentivize testing on your most critical assets, as well as assets that may require a more unique skill set.
     
  • For cryptocurrency and blockchain organizations already paying above-average bounties, focus on impact statements to attract the best researchers. Be specific: “We pay $X for vulnerabilities that could result in A, B, or C consequences.” Crypto.com, for example, generally categorizes reports with “Extreme” severity as vulnerabilities that could result in an “immediate loss of over $1 million in funds to Crypto.com or our users, or that could dump customer PII en masse.” 

Want to learn more about the intricacies of crypto and blockchain security and see how your organization compares to your industry peers? Download the 8th Annual Hacker-Powered Security Report: Technology Edition for more web3 data, researcher insights, and customer advice.

Original Post url: https://www.hackerone.com/vulnerability-management/web3-security-testing

Category & Tags: –

Views: 3

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Practical DevSecOps
API Security Fundamentals – Your Handy Guide to Building an Unhackable System by practical-devsecops.com
API Security Fundamentals – Your...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos