If I were Bitfi
(Disclaimer: I am with HackerOne’s community team. I don’t want to bury the lede on that in any way, as H1 does come into this story.)
If you’ve been on Twitter in the past two months and live in the security world, chances are good that you’ve seen the fighting around Bitfi. A short summary for those who missed it:
- Bitfi launched a hardware wallet for cryptocurrency
- They subsequently launched a $250k reward for it to be hacked, claiming it to be unhackable, the “Bitfi Bounty”
- Numerous researchers successfully hacked the device, to varying degrees
- Harassing tweets and threats were made by Bitfi employees against these researchers, when they attempted to claim the reward
- Bitfi subsequently pulled the reward and rescinded the unhackable claim, as well as signaling their intention to launch a HackerOne bug bounty
- They also hired a head of security, who subsequently quit the next day, then rejoined pending action being taken regarding some of the less savory points here
This summary misses a lot of the details, but it hits on the key points. As both a security researcher and someone whose day-to-day tasks are centered around empowering our community, there’s a lot here which concerns me.
For this post, I’m going to put myself in Bitfi’s shoes and discuss what I would do from here, if I were in their position. I’m writing this in hopes of being useful to Bitfi and other folks who find themselves in situations like these. I don’t have any inside information and it’s possible that I’m missing the thread in various ways. Your mileage may vary.
#1 Adopt a code of conduct for employees and contractors
This would be my first action. Harassment, threats, and intimidation of anyone is unacceptable and should be codified as such. I understand that it can be frustrating to be on the receiving end of hateful tweets, emails, etc – I’ve received more than my fair share over the years – but 1) this shouldn’t be responded to in kind, and 2) this especially shouldn’t be used as an excuse to lash out against folks who are not being hateful or abusive.
#2 Pay the researchers
I would pay the first team to successfully perform a full hack of the device (in this case, I think that a cold boot attack well past exceeds this) the $250k reward. No, they didn’t extract the coins from the wallet, but they thoroughly demonstrated its security flaws. In order to have any kind of trust from the community, this is necessary.
#3 Define the new bounty program
The existing “Bitfi Bounty” has a clarity issue that we would need to resolve. You can run a security rewards program in one of two ways: bug bounty (rewarding researchers for finding bugs, typically paid by the severity assigned to said bugs) and security rewards (rewarding researchers for accomplishing a given task, e.g. getting root on a device). The latter is not what most people think of as a bug bounty program, and billing it as such can lead to confusion and resentment from the community at large. Both do have merits, however, and they should be weighed.
I would personally lean towards a traditional bug bounty program, if only for one reason: It’s open to the discovery of bugs and attack scenarios that haven’t been previously considered. If they don’t have a business impact of note, the severity for the bug will be low and the payout will be a rounding error anyway; if they do have a real business impact, the product becomes measurably more secure.
Regardless of the approach taken, we would need to codify this in a way that makes it clear to hackers what the goals and rewards of the program are.
#4 Issue an apology
Having (hopefully) resolved the conduct issues and having paid the researchers who successfully broke the device, I would issue a statement that includes the following:
An apology for the previous conduct of our employees and/or contractors
An assurance that our new code of conduct states that these actions are unacceptable and will be dealt with swiftly if they occur again
An explanation of how the new bug bounty program will work with researchers, rather than in opposition to them
I would then listen to the feedback given, no matter where it comes from. This can often by the hardest step, but it’s essential. There have clearly been mistakes made, but this is not an irredeemable situation. Regaining the trust of a community takes time, effort, and a willingness to be wrong and then fix it.
No matter how exactly we go about these steps, we will be on a path to better security and lower risk for our customers. At the end of the day, that’s what really matters.
Taking off my hypothetical Bitfi hat, it’s clear that this company has an uphill climb ahead of it, but that’s not always a bad thing. I firmly believe that if these steps were taken, it’s possible that they would end up in a position where the community is – at the very least – not actively fighting them.
Not to drink the H1 kool-aid too much, but since Bitfi announced they planned to use our platform to run their bounty, I’ve thought a lot about our company values: Start with Integrity, Default to Disclosure, Act Like an Owner, Win as a Team, and Empower Our Community. While it may sound trite, these values mean a lot to me, and I know that they mean a lot to everyone at HackerOne. I don’t want anyone on our platform – programs or users – to harm our community, and I think that following those values helps mitigate that risk dramatically.