Menu Icon
< back to main
 • 3 min read

How to Measure the Security of a Bitcoin Application

These days anyone regularly tuning into r/bitcoin read stories about individuals getting their wallet.dat stolen and bitcoin businesses...

How to Measure the Security of a Bitcoin Application
Jacob Hansen
Jacob Hansen

Jacob Hansen is Co-founder and Chief Executive Officer at Cobalt. Jacob and his team are on a mission to evolve the traditional pentesting model by engaging the best cybersecurity talent, via Cobalt’s PtaaS platform, and allowing customers to move from a static pentest to platform-driven pentest programs that drive better security and improve ROI.

Want to see the platform in action?
get a demoArrow Right
Want to see the platform in action?
get a demoArrow Right

These days anyone regularly tuning into r/bitcoin read stories about individuals getting their wallet.dat stolen and bitcoin businesses closing operations after a security breach. Yesterday, Security Researcher Egor Homakov disclosed how Mt.Gox was vulnerable to an account hijacking attack caused by a XSS flaw combined with improper session management. The issue has been since fixed, and while it’s great to see security researchers take on the challenge of bitcoin security, sometimes it seems like something overall is broken when looking at security in the bitcoin ecosystem.

Ironically these security breaches are a marker of bitcoin’s overall success. As bitcoin continues to grow and flourish, and we can expect criminals to target more and more bitcoin businesses as its value increases. For bitcoin, this list of thefts and heists is only the beginning.

Improving Application Security

As a protocol, Bitcoin itself is secure. Most bitcoin security issues are not related to the bitcoin protocol, they are due to improper handling of bitcoins or insufficient security built into applications dealing with bitcoin. At protocol level there are some interesting developments in progress like multi-signature transactions which, when implemented by applications, will make compromises of bitcoin applications less harmful. The current bounty for a compromising bug in the bitcoin protocol is around $ 12.000.000.000, and so far no vulnerabilities have been disclosed or exploited. In addition to this bounty, we have also seen initiatives like the Bitcoin Security Project raise awareness about security to the bitcoin community.

In terms of improving the overall security of bitcoin web applications, we believe that as the bitcoin ecosystem matures, bitcoin businesses will increasingly compete on application security to attract customers. More and more businesses will follow the example of wallet providers Coinbase and Blockchain.info, who are leaders in bitcoin because of their transparent, open writeup of their security practices.

Transparent Security

Despite the inherent values presented in security transparency, many bitcoin businesses do not advertise their security practices. For those who do, how do users know that these practices are being followed by the business? Clearly there is an incentive for a dubious bitcoin website to attract users by advertising higher levels of security than they actually have implemented in their products. This is a classical asymmetric information problem, as the website has more information about their application security than they might reveal to users.

Bug Bounty Programs as A Benchmark

The best way to solve the problem of misinformation about bitcoin security is to give users need a reliable metric to determine the security level of a bitcoin application. Bug bounty programs like those run by Google and other large technology companies clearly communicate reward sizes proportionate to the seriousness of a vulnerability a security researcher might discover, and open important channels of communication with the security community. The existence of a bug bounty program could be the first of many metrics to help build trust with users. By offering large reward sizes, bitcoin businesses could easily to signal their web application security level to their users. The higher the reward sizes, the more engaged and incentivized the security community is to investigate and discover vulnerabilities in a secure application.

Over the past few months, there has been a huge increase in the adoption of bug bounty programs by businesses in the bitcoin space. Bitcoin businesses like Coinbase, Kraken, QuickBT, Coinkite and Vault of Satoshi are leading the way with their disclosure policies and bug bounty programs. We expect this trend to continue (to the moon, perhaps?) as end-users increasingly demand stronger security from bitcoin applications.

Related Stories

How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience
What better group to turn to for advice than security leaders who have worked on the front lines of risk and uncertainty?
Read moreArrow Right
Cybersecurity Statistics for 2021
Cybersecurity Statistics for 2021
What's new in ransomware, social engineering, and many other security threats
Read moreArrow Right
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
New Ebook: Beginner’s Guide to Compliance-Driven Pentesting
Find out more about the role of pentesting in your company’s compliance effort.
Read moreArrow Right
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
The State of Pentesting 2021: Common Vulnerabilities, Findings, and Why Teams Struggle With Remediation
Each year, we publish The State of Pentesting report to provide a detailed overview of vulnerabilities and identify the trends and hazards that impact the cybersecurity community.
Read moreArrow Right

Never miss a story

Stay updated about Cobalt news as it happens