Last week TRON CEO Justin Sun announced the launch of a bug bounty program with a top reward of $100k. The announcement coincided with the project’s much anticipated mainnet launch. The next day, however, Sun announced that they were increasing that amount to a cool $10 million.
TRON Gets Serious About Security
Following its mainnet launch on May 31st, Justin Sun, Founder and CEO of TRON, also announced a bug bounty campaign with the highest reward of $100,000 for identifying critical network issues. Just a day later, however, he raised the stakes significantly, raising the maximum reward to $10 million. The reason given for the increase was to emphasize just how seriously TRON takes the security of its network.
#TRON Bug Bounty Program with a highest reward of USD$10 million. We take the security of #TRON mainnet very seriously. If you have made an important discovery of potential bugs, please contact us and join the TRON Bug Bounty Program🔉 #TRX $TRX https://t.co/e399Z4TZBw pic.twitter.com/JRyVnTtb9J
— Justin Sun (@justinsuntron) June 1, 2018
According to the official bug bounty program documentation found on the project’s GitHub, the campaign will take place between May 31st and June 24th. The goal of the program is to enlist the help of the wider crypto community to discover any potential technical vulnerabilities in the TRON mainnet.
The original bounty cap of $100,000 was impressive in its own right, placing TRON squarely alongside tech giants like Microsoft and Apple in terms of highest bug bounty rewards. A $10 million reward, on the other hand, puts TRON in a league of its own.
Bugs found during the bug bounty campaign will be assigned a level of severity – intermediate, advanced, and fatal. The reward payout structure for each level is as follows:
- Fatal bugs which can take control of java-tron nodes by remote execution of any code. Reward: $100,000 and up.
- Fatal bugs which can lead to private key leakage. Reward: $50,000 and up.
- Advanced bugs which can incur Denial of Service (DoS) in java-tron through P2P network. Reward: $10,000 and up.
- Advanced bugs which can incur Denial of Service (DoS) in java-tron through RPC-API. Reward: $10,000 and up.
- Intermediate bugs which can incur Denial of Service (DoS) in java-tron through TRON Protocol. Reward: $6,000 and up.
- Intermediate bugs allowing unauthorized operations on user accounts. Reward: $6,000 and up.
It is important to note that bugs found in the following code repositories ONLY are eligible for bounties:
- java-tron: https://github.com/tronprotocol/java-tron
- wallet-cli: https://github.com/tronprotocol/wallet-cli
Any other location, including tronscan.org, tron.network, tronlab.com, and any third-party partners are considered “out of scope” and are ineligible for a bounty reward in this campaign.
Bug Bounties Gathering Momentum
Bug bounty programs are becoming more and more popular as means of identifying network vulnerabilities within blockchain-based projects. Apart from TRON’s massive campaign, EOS launched its own bug bounty program a few days ago. Throughout the program, a single user named Guido Vranken managed to identify eight different vulnerabilities, pocketing $80,000 in just one day. According to Vranken, he discovered four additional bugs that, once validated, will increase his overall reward to $120,000.
Blockchain-based projects are not the only ones who have recognized the merit within bug bounty programs. Coinbase’s head of security, Philip Martin, is a big proponent of them as well:
Coinbase loves bug bounties. […] We think they fundamentally change the economics of vulnerability reporting. Instead of a researcher facing a choice between using a vulnerability themselves, selling a vulnerability to 3rd parties or giving a vulnerability away for free, bounties present a good, legal, risk-adjusted return for the time invested by a researcher. Bounties de-criminalize the actions of good-faith security researchers, while still forbidding malicious hacking. Bounties help grow the next generation of security talent.
Do you think TRON’s massive bug bounty program is a sign of confidence or of worry? Let us know in the comments below!
Images courtesy of Flickr, Pixabay