Hyperledger bug bounty program goes public
The Hyperledger project has opened the doors of its bug bounty program to the public.
Security
Hyperledger is an open-source project and hub for developers to work on blockchain technologies.
The Hyperledger infrastructure is being developed in order to support cross-industry uses of distributed ledger technologies, most commonly associated with the exchange of cryptocurrency.
Hosted by the Linux Foundation, Hyperledger focuses on cross-industry support for distributed ledger frameworks, smart contracts, and libraries, and already supports a range of business-based blockchain frameworks and transactional applications.
While Hyperledger is an important initiative for businesses to utilize the blockchain safely and with a potential ROI, security is a crucial ingredient of the project's success.
Over the past six months, the Hyperledger team has operated a private bug bounty program with HackerOne. This allowed developers and security researchers to test the waters, ironing out any communicative or disclosure issues before going public.
Now, Hyperledger has a public bug tracker, a full vulnerability disclosure policy, and compliance systems in place. The next stage, revealed on Tuesday by Hyperledger team member Dave Huseby, is the launch of a public bug bounty program.
The public program only includes Hyperledger Fabric at present as a target for bug hunters to ferret out vulnerabilities, but Hyperledger Sawtooth and other frameworks are on the radar and are expected to be added to the program soon.
HackerOne is hosting and administering the program. Rewards range from a minimum of $200 for a low-severity bug to at least $2000 for the discovery of a critical vulnerability.
"At Hyperledger we have a broad base of committed developers and it is their professionalism that makes our security process solid and straightforward," Huseby says.
Over the past year, Hyperledger has formalized how blockchain projects can move from development to their first 1.0 release. This process now includes a number of security requirements, including meeting the demands of the Core Infrastructure Initiative (CII), which sets "best practice" requirements for open-source project security.
In addition, up to three members of a project must be nominated to the Hyperledger security team to help triage and resolve vulnerabilities.
See also: Intel debuts security solutions at the silicon level
Hyperledger projects must also undergo a security audit from an external auditor, and now by adding the public bug bounty program, all of these requirements may be made easier with the help of a community of security researchers.
"Security is always an ongoing process of improvement," Huseby says. "Thanks to the commitment and professionalism and general good cheer of the Hyperledger community, we have made great strides in the last year. Now with our public bug bounty, we hope to further make good on the open-source promise and to deserve the trust our users have in us."