Blockchain-based bug bounty framework

Lital Badash, Nachiket Tapas, Asaf Nadler, Francesco Longo, Asaf Shabtai

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


Bug bounty programs are a popular solution for security researchers to disclose software vulnerabilities in exchange for compensation. They suffer, however, from two main drawbacks that limit their effectiveness: (i) they use a trusted intermediary that charges hefty commission fees and may have a conflict of interest with the software vendor, and (ii) they may mistreat security researchers by compensating less than guaranteed and no means to appeal against it. In this paper, we propose a permissioned Blockchain-based framework that addresses the drawbacks of existing bug bounty programs. The framework allows a confidential exchange of vulnerabilities and compensations using smart contracts. In cases of policy violation, security researchers can appeal to a trusted group of security experts called arbitrators, that can force the software vendors to compensate the security researchers fairly. A formal evaluation of the proposed framework using TLA+ specification supports the viability of the proposal. A Hyperledger Fabric-based prototype is implemented to simulate the proposed framework. The analysis of the framework uses a game-theoretic notion to argue that if the majority of arbitrators behave honestly, then the rational strategy of software vendors is to compensate security researchers that disclose vulnerabilities accurately. Similarly, rational security researchers do not gain any financial profit by playing unfairly.

Original languageEnglish
Title of host publicationProceedings of the 36th Annual ACM Symposium on Applied Computing, SAC 2021
PublisherAssociation for Computing Machinery
Number of pages10
ISBN (Electronic)9781450381048
StatePublished - 22 Mar 2021
Event36th Annual ACM Symposium on Applied Computing, SAC 2021 - Virtual, Online, Korea, Republic of
Duration: 22 Mar 202126 Mar 2021

Publication series

NameProceedings of the ACM Symposium on Applied Computing


Conference36th Annual ACM Symposium on Applied Computing, SAC 2021
Country/TerritoryKorea, Republic of
CityVirtual, Online


  • blockchain
  • bug bounty
  • software vulnerability

ASJC Scopus subject areas

  • Software


Dive into the research topics of 'Blockchain-based bug bounty framework'. Together they form a unique fingerprint.

Cite this