EOS launched a bug bounty program on May 31 on HackerOne. Bug bounty hunter Guido Vranken is currently enjoying the financial reward of $120,000 by identifying 12 bugs and vulnerabilities in the software in just one week.
Block.one is a startup based in the Cayman Islands. They are the developer of the EOS blockchain platform and managed to raise over $4 billion for their initial coin offering (ICO) despite not having a live product.
While Vranken may be a skilled bug hunter, the idea that one individual who was working alone was able to find 12 vulnerabilities in just one week suggests significant concerns for EOS and their code. ZDNet mentioned that if EOS does not take their code mode seriously, their funding, ICO, and the current hype around the project could be hacked or neutralized if a hacker decided to breach the system.
EOS has a Large Number of High-risk Vulnerabilities
As reported by Qihoo 360, a Chinese internet security company discovered a large number of bugs in the EOS code before their mainnet launch on June 2, 2018.
Block.One mentioned that they would hold off the EOS mainnet launch once the bugs are identified and eliminated. The startup, however, went along with the launch despite having vulnerabilities in their system. Even after the official launch, the EOS blockchain was not up and running.
Vranken mentioned to The Next Web that EOS had fixed the bugs outlined in his report. “The EOS people are very appreciative of my efforts,” said Vranken.
“Reported bugs were quickly analyzed and fixed in their public repository. At first, the process was very ad-hoc because [EOS CTO] Daniel Larimer and I were sending files back and forth on Telegram, but they’ve since started to run a bug bounty program on HackerOne which I think is in the best interest of both bug finders and the EOS team.”
The bug hunter also mentioned that he was pleased with the $10,000 reward per bug bounty.
Online Crypto Community Unhappy with EOS’ Bug Bounty Reward
According to a Reddit thread, Reddit user BitcoinIsTehFuture believes that a bounty of $10,000 is too low. “If a zero-day exploit is worth more than $10,000 to reveal, then a bad actor will not disclose this for $10,000, and could choose instead to use the exploit for greater profit,” said Reddit user BitcoinIsTehFuture.
“$10,000 is not very much money. Block.one has billions of dollars and should up the ante for their bug disclosure program. There’s already too little time left, and this would be appropriate for the situation.”
While there are mixed opinions to how much the bounty should cost, most users believe that the reward should be based on the severity of the bug.
Despite these opinions, there have been a decent number of bugs submitted since Block.one announced their bounty program. The development team has also demonstrated that they are competent and capable of resolving these bugs in a very timely manner, for every two to three hours.