Zilliqa's Bug Bounty Program Enables Secure Growth & Expansion for Blockchain Technology

About Zilliqa

Zilliqa is a high-performance, high-security blockchain platform for enterprises and next-generation applications. Developed through academic research and helmed by a team of experienced scientists, engineers, venture creators and leaders in the financial services, Zilliqa addresses limitations in scalability and security, enabling real-world usability across a variety of industries, including finance, digital advertising, and gaming. In 2019, Zilliqa became the first public blockchain platform to be built on shared architecture, with smart contracts written in the platform’s secure-by-design programming language, Scilla. For more information, visit: zilliqa.com.

The Challenge

Blockchain was developed to serve as a trusted transaction ledger for cryptocurrency exchange, and by its distributed nature and game theory consensus mechanisms, is inherently secure by design. However, blockchain platforms are not without their own unique security challenges. Exchange hacks, social engineering, malware, and software vulnerabilities in decentralized applications force blockchain platforms like Zilliqa to remain vigilant as they build towards the future of trade and transaction.

As security is of the utmost importance to users of Blockchain technology, it’s easy to see why Zilliqa pays equal attention to the topic. They have architected a robust security framework that includes both industry best practices, as well as a special set of workflows unique to Zilliqa alone:

A look at some of Zilliqa’s preventative security measures:

• Sybil resistance: New nodes looking to join the network must authenticate via computational expression
• Node sharding: An intentionally random division of nodes into many small ‘shards’ which helps eliminate single-point of failure, requiring attackers to gain network majority to advance
• Safe-by-design smart contract language: A formal verification system to help developers identify gaps, implement fixes and stay secure when writing smart contracts.

These practices help Zilliqa to deliver a sufficiently fault-tolerant, and secure networking experience for their customers. However, while critically important, they address only a certain subset of their entire threat landscape that which is known and understood today. To stay ahead of tomorrow’s threats, Zilliqa turned to Bugcrowd.

The Solution

In November 2018, Bugcrowd helped Zilliqa implement its first Bug Bounty program. A Bug Bounty program is designed to enable rapid access to a global network of vetted security researchers who are incentivized to find critical vulnerabilities before malicious attackers. While this was a first for Zilliqa as a company, it wouldn’t be for the assigned Bug Bounty Manager, Jun Hao Tan. As a security-conscious Senior VP of Security and Platform Engineering, Jun Hao had participated in ‘capture the flag’ (CTF) competitions, successfully reporting numerous security vulnerabilities to various leading agencies and vendors in the tech sector. Having seen the value of such programs at organizations with even the most rigorous security controls, championing a Bug Bounty program with Bugcrowd was an easy decision. Additionally, Jun Hao’s first-hand experience as a hacker contributed to Zilliqa’s adoption of full Safe Harbor status ensuring that hackers who act in good faith on their platform will be protected from undue retribution for their efforts, and those that wish to share accomplishments can safely request coordinated-disclosure.

Bugcrowd worked with Zilliqa to define their program’s purpose and core testing needs, focusing primarily on their cryptocurrency platform and smart contract language/implementation. Next, the two teams defined the skills, experience, and trust required for participation in their program, which was initially launched in ‘private’ mode. Once internal processes for accepting and rapidly addressing valid submissions were aligned, they prepared for their ‘public’ launch effectively lifting any restrictions on crowd participation in order to widen reach and attract new testing skills. Additionally, Zilliqa enabled ‘bonus periods’ during which times rewards (and thus submissions) increased. In January 2020, they received their first P1 submission, which represents the highest priority vulnerability. Zilliqa’s program is now open to all security researchers on the Bugcrowd platform, and can be accessed at Zilliqa.

The Results

Zilliqa received near-immediate value from their Bug Bounty program, with regard to both the severity of findings, as well as those that informed new security review practices. Early submissions uncovered ‘edge cases’ that were not identified during regular code reviews and security audits, reinforcing the value of combining internal assessments with the unique security skills and experience of the Crowd.

Top program benefits
Zilliqa’s top benefits, as compiled by their team, include:

• Triage service : Bugcrowd provides rapid and reliable validation and prioritization for all incoming vulnerabilities
• Disclose.io : Bugcrowd enables Zilliqa to show researchers that they provide safe harbor for those hunting in good faith
• Payment Management : Bugcrowd manages payment allocation and distribution for Zilliqa-validated vulnerabilities according to the Vulnerability Rating Taxonomy

As Zilliqa continues to change the way the world trades and transacts, Bugcrowd’s network of skilled security testers works 24/7 to protect users of these new technologies, every step of the way.