Zilliqa’s Bug Bounty Program Enables Secure Growth & Expansion for Blockchain TechnologyDownload Case StudyAbout ZilliqaZilliqa is a high-performance, high-security blockchain platform for enterprises and next-generation applications. Developed through academic research and helmed by a team of experienced scientists, engineers, venture creators and leaders in the financial services, Zilliqa addresses limitations in scalability and security, enabling real-world usability across a variety of industries, including finance, digital advertising, and gaming. In 2019, Zilliqa became the first public blockchain platform to be built on shared architecture, with smart contracts written in the platform’s secure-by-design programming language, Scilla. For more information, visit: zilliqa.com.The ChallengeBlockchain was developed to serve as a trusted transaction ledger for cryptocurrency exchange, and by its distributed nature and game theory consensus mechanisms, is inherently secure by design. However, blockchain platforms are not without their own unique security challenges. Exchange hacks, social engineering, malware, and software vulnerabilities in decentralized applications force blockchain platforms like Zilliqa to remain vigilant as they build towards the future of trade and transaction.As security is of the utmost importance to users of Blockchain technology, it’s easy to see why Zilliqa pays equal attention to the topic. They have architected a robust security framework that includes both industry best practices, as well as a special set of workflows unique to Zilliqa alone:A look at some of Zilliqa’s preventative security measures:Sybil resistance: New nodes looking to join the network must authenticate via computational expressionNode sharding: An intentionally random division of nodes into many small “shards” which helps eliminate single-point of failure, requiring attackers to gain network majority to advanceSafe-by-design smart contract language: A formal verification system to help developers identify gaps, implement fixes and stay secure when writing smart contracts.These practices help Zilliqa to deliver a sufficiently fault-tolerant, and secure networking experience for their customers. However, while critically important, they address only a certain subset of their entire threat landscape—that which is known and understood today. To stay ahead of tomorrow’s threats, Zilliqa turned to Bugcrowd.The SolutionIn November 2018, Bugcrowd helped Zilliqa implement its first Bug Bounty program. A Bug Bounty program is designed to enable rapid access to a global network of vetted security researchers who are incentivized to find critical vulnerabilities before malicious attackers. While this was a first for Zilliqa as a company, it wouldn’t be for the assigned Bug Bounty Manager, Jun Hao Tan. As a security-conscious Senior VP of Security and Platform Engineering, Jun Hao had participated in “capture the flag” (CTF) competitions, successfully reporting numerous security vulnerabilities to various leading agencies and vendors in the tech sector. Having seen the value of such programs at organizations with even the most rigorous security controls, championing a Bug Bounty program with Bugcrowd was an easy decision. Additionally, Jun Hao’s first-hand experience as a hacker contributed to Zilliqa’s adoption of full Safe Harbor status—ensuring that hackers who act in good faith on their platform will be protected from undue retribution for their efforts, and those that wish to share accomplishments can safely request coordinated-disclosure.Bugcrowd worked with Zilliqa to define their program’s purpose and core testing needs, focusing primarily on their cryptocurrency platform and smart contract language/implementation. Next, the two teams defined the skills, experience, and trust required for participation in their program, which was initially launched in “private” mode. Once internal processes for accepting and rapidly addressing valid submissions were aligned, they prepared for their “public” launch—effectively lifting any restrictions on crowd participation in order to widen reach and attract new testing skills. Additionally, Zilliqa enabled “bonus periods” during which times rewards (and thus submissions) increased. In January 2020, they received their first P1 submission, which represents the highest priority vulnerability. Zilliqa’s program is now open to all security researchers on the Bugcrowd platform, and can be accessed at bugcrowd.com/zilliqa.Industry Blockchain TechnologyBugcrowd Product Managed Bug BountyChallenge With experience as a hacker himself, Zilliqa’s Core Developer championed a layered approach to internal code-reviews.Solution Bugcrowd’s public Bug Bounty program provided Zilliqa the reach and exposure necessary to add top security expertise to an already extremely robust security framework.OutcomesLayered approach to security without the cost of full-time resourceFirst P1 (highest priority vulnerability) within a yearEarly submissions from the Crowd reflected valuable edge-cases not caught in internal code reviewsBugcrowd has added an additional layer to our security testing. It has helped to complement our existing security efforts and has helped us uncover new bugs that we weren’t aware of before. We’ve found that due to the nature of the bugs reported on Bugcrowd, our dev team has gained valuable insights in order to orient them towards more defensive coding.”Jun Hao Tan, SVP Security & Platform Engineering, ZilliqaThe ResultsZilliqa received near-immediate value from their Bug Bounty program, with regard to both the severity of findings, as well as those that informed new security review practices. Early submissions uncovered “edge cases” that were not identified during regular code reviews and security audits, reinforcing the value of combining internal assessments with the unique security skills and experience of the Crowd.Top program benefits Zilliqa’s top benefits, as compiled by their team, include:Triage service : Bugcrowd provides rapid and reliable validation and prioritization for all incoming vulnerabilitiesDisclose.io : Bugcrowd enables Zilliqa to show researchers that they provide safe harbor for those hunting in good faithPayment Management : Bugcrowd manages payment allocation and distribution for Zilliqa-validated vulnerabilities according to the Vulnerability Rating TaxonomyAs Zilliqa continues to change the way the world trades and transacts, Bugcrowd’s network of skilled security testers works 24/7 to protect users of these new technologies, every step of the way.
