These days anyone regularly tuning into r/bitcoin read stories about individuals getting their wallet.dat stolen and bitcoin businesses closing operations after a security breach. Yesterday, Security Researcher Egor Homakov disclosed how Mt.Gox was vulnerable to an account hijacking attack caused by a XSS flaw combined with improper session management. The issue has been since fixed, and while it’s great to see security researchers take on the challenge of bitcoin security, sometimes it seems like something overall is broken when looking at security in the bitcoin ecosystem.
Ironically these security breaches are a marker of bitcoin’s overall success. As bitcoin continues to grow and flourish, and we can expect criminals to target more and more bitcoin businesses as its value increases. For bitcoin, this list of thefts and heists is only the beginning.
Improving Application Security
As a protocol, Bitcoin itself is secure. Most bitcoin security issues are not related to the bitcoin protocol, they are due to improper handling of bitcoins or insufficient security built into applications dealing with bitcoin. At protocol level there are some interesting developments in progress like multi-signature transactions which, when implemented by applications, will make compromises of bitcoin applications less harmful. The current bounty for a compromising bug in the bitcoin protocol is around $ 12.000.000.000, and so far no vulnerabilities have been disclosed or exploited. In addition to this bounty, we have also seen initiatives like the Bitcoin Security Project raise awareness about security to the bitcoin community.
In terms of improving the overall security of bitcoin web applications, we believe that as the bitcoin ecosystem matures, bitcoin businesses will increasingly compete on application security to attract customers. More and more businesses will follow the example of wallet providers Coinbase and Blockchain.info, who are leaders in bitcoin because of their transparent, open writeup of their security practices.
Despite the inherent values presented in security transparency, many bitcoin businesses do not advertise their security practices. For those who do, how do users know that these practices are being followed by the business? Clearly there is an incentive for a dubious bitcoin website to attract users by advertising higher levels of security than they actually have implemented in their products. This is a classical asymmetric information problem, as the website has more information about their application security than they might reveal to users.
Bug Bounty Programs as A Benchmark
The best way to solve the problem of misinformation about bitcoin security is to give users need a reliable metric to determine the security level of a bitcoin application. Bug bounty programs like those run by Google and other large technology companies clearly communicate reward sizes proportionate to the seriousness of a vulnerability a security researcher might discover, and open important channels of communication with the security community. The existence of a bug bounty program could be the first of many metrics to help build trust with users. By offering large reward sizes, bitcoin businesses could easily to signal their web application security level to their users. The higher the reward sizes, the more engaged and incentivized the security community is to investigate and discover vulnerabilities in a secure application.
Over the past few months, there has been a huge increase in the adoption of bug bounty programs by businesses in the bitcoin space. Bitcoin businesses like Coinbase, Kraken, QuickBT, Coinkite and Vault of Satoshi are leading the way with their disclosure policies and bug bounty programs. We expect this trend to continue (to the moon, perhaps?) as end-users increasingly demand stronger security from bitcoin applications.