Facebook’s Libra Association announced yesterday the launch of its public bug bounty program. The details, outlined in a blog post, said the program is designed to “strengthen the security of the blockchain” before Libra’s projected launch sometime next year.
The program will be hosted on popular bug bounty platform HackerOne, and “enables developers to submit bugs and alert the association to security and privacy issues and vulnerabilities to help ensure a scalable, reliable, and secure launch.” As of July 2018, HackerOne’s network has some 200,000 members. It’s used by large companies, including Starbucks, Spotify, and the European Commission.
The association wants hackers to guard against forks, transaction tampering, block tampering, validator compromises, denials of service and double-spending.
The discovery of even “the most subtle” bugs will be rewarded, and bounty hunters can get up to $10,000 for finding “critical” issues on the testnet. An example of a “critical” vulnerability, would be a “Virtual Machine flaw that allows the execution of a Move smart contract to be altered.” Facebook has the final say about the threat level, and their decisions are non-appealable.
But there are rewards for smaller issues too: The discovery of “high” threat vulnerabilities pay out $5,000, “medium” threats pay out $1,500, and “low” threats pay out $500. Libra aims to pay out within 14 days of a threat being reported. To date, just one bounty’s been paid out to hacker Michael Xu—$1,500 for a “medium threat.”
To further encourage bounty hunters, the program will cherry-pick examples of bugs and issues found–and hopefully fixed–to incentivize others to rummage through Libra’s code. The announcement also claimed the project will have an outreach program to encourage the academic community to help identify potential problems.
The bug bounty program should help to keep hackers from breaching Libra when it goes live on Facebook’s WhatsApp and Messenger platforms next year. Before then, however, Facebook has to find a way of stopping regulators from derailing the project before it even begins. Unluckily for Facebook, these ‘bugs’ are much harder to squash.