It's frustrating, we reported a SQL injection vulnerability to the Vulcan Forged bug bounty program 6 months ago that let you pull master private keys and plaintext passwords. This vulnerability had a similar level of impact, but was rewarded with $2,000. (1/5)
https://twitter.com/RektHQ/status/1470431503045828614
Over the last year or so we've hacked on tons of Web2
crypto programs which are custodial wallet or are trusted mediums for people to interact with huge amounts of money, but the vulnerabilities are consistently paid <$5k when the *real* amount of risk is >$100m. (2/5)
crypto programs which are custodial wallet or are trusted mediums for people to interact with huge amounts of money, but the vulnerabilities are consistently paid <$5k when the *real* amount of risk is >$100m. (2/5)
Something to note is this isn't "speculative" impact, the vulnerabilities demonstrated clear access to user funds and since it's crypto there is a very real threat of someone actually draining the wallet. (3/5)
Smart contract vulnerabilities for platforms this size will normally pay, at the minimum, $100,000 for critical issues which lead to this level of loss of funds, so why are the web vulnerabilities being capped at $5,000 when there is the same level of impact? (4/5)
If these programs want to run a bug bounty program (which I think is great), I feel that more than anything they're going to have to increase rewards so that people take them seriously. (5/5)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
