Alternative digital assets: Software vulnerabilities (Bug or Vulnerability)

Author: Xu Hejun

We are in the Internet age, where computers and various information systems have profoundly affected every aspect of our lives. It is no exaggeration to say that we are inseparable from computers and the software systems that run various applications. However, the constantly exposed software vulnerabilities are the lingering dark clouds of the Internet age, which bring people troubles and damages of varying degrees from time to time. In particular, the series of network and telecommunications frauds caused by the loss of key user data due to software vulnerabilities are a major cancer in today's society.

Unfortunately, information system vulnerabilities exist from the beginning of research and development. Vulnerabilities, also known as fragility, were mentioned as early as 1947 when von Neumann established the theory of computer system structure. He believed that the development of computers was similar to natural life, and a computer system also had inherent defects similar to genes, and unexpected problems might occur during use and development. Information security vulnerabilities are intentional or unintentional vulnerabilities in the process of demand, design, implementation, configuration, and operation of information technology, information products, and information systems. These vulnerabilities exist in various forms at all levels and links of information systems and can be exploited by malicious subjects, thus affecting the normal operation of information systems and their services.

The world's information security community has reached a consensus on how to prevent serious consequences caused by information security vulnerabilities, which is to encourage white hat hackers to participate in the discovery and disclosure of information system security vulnerabilities in the form of bonuses on the basis of strengthening internal software testing, rather than deliberately covering them up or turning a blind eye like a camel buried in the sand. Successful cases include HackerOne helping companies establish a network security feedback center and giving different bonuses to vulnerabilities submitted at different security levels, which can attract more white hat hackers to discover security vulnerabilities in their systems for companies and submit them to the companies as soon as possible, so that the companies can fix the vulnerabilities before they cause serious security incidents.

HackerOne has provided a very successful example for the industry, which is a centralized security emergency center. However, this model only solves part of the problem. It does not completely solve how to fairly evaluate the threat level of vulnerabilities submitted by white hat hackers, and how to fairly evaluate the rewards for vulnerabilities. If the amount of the reward is not enough to reflect the labor of white hat hackers, it will not play a relevant role.

From another perspective, we will find that software vulnerabilities have very similar characteristics to Bitcoin. First, similar to Bitcoin, software vulnerabilities are also discovered independently by different participants, which means that they are naturally decentralized. Second, software vulnerabilities only exist in information systems, not digital certificates of something in the real world, which means that they are completely digital. Third, the discovery, repair, disclosure, threat level assessment and bonus estimation of a software vulnerability should be solved under open, fair and multi-party supervision. Distributed assistance and supervision are crucial. In fact, the Ethereum community has also established a related security vulnerability bounty program after the DAO attack.

Through the above analysis, we will be surprised to find that information system vulnerabilities (software vulnerabilities) have the same characteristics as Bitcoin, so they are very suitable for alternative digital assets supported by blockchain technology. In this vulnerability bounty blockchain, countless security white hat hackers are miners of vulnerability assets. They mine vulnerabilities in all information systems and submit evidence of the vulnerabilities they find to the blockchain. Relevant rating agencies will provide vulnerability verification, threat level assessment and bounty estimation for these vulnerabilities. These assessment tasks will also be shared by different participants. In the end, the vulnerabilities will be priced, repurchased and repaired by enterprises, and traded like Bitcoin. All processes can be recorded on the blockchain to ensure that the entire process is open and fair. Blockchain technology is the only technical platform that can guarantee the fair execution of this multi-party project.

Blockchain technology from the hacker world is still most suitable for white hat hackers.