Conversation

We’ve been criticized for not having a 3rd party run our bug bounty program but this is exactly why we run it ourselves. Resubmitting bugs for the bounty is the least bad thing that can happen. Worst case, the stolen bugs are sold to more serious hackers or directly exploited.

Quote Tweet

Runa Sandvik

@runasand

· Jul 1

A HackerOne employee accessed vulnerability data of customers, then re-submitted the security issues to the same customers for personal gain. Interesting report by @Hacker0x01 on the incident and investigation. hackerone.com/reports/1622449

Show this thread

193

Jesse Powell

@jespow

Exchange rankings like

@cer_live

give you double points for hosting your bug bounty with a 3rd party, incentivizing bad behavior. Those scores are repeated by

@coingecko

and others. Good list of who's at risk: cer.live

10:00 PM · Jul 2, 2022Twitter Web App

Replying to

and

So Kraken's the only exchange with that runs its own bug bounty program You don't make enough noise about this and all the precautionary measures kraken has in place

Replying to

and

should be at 1.

Replying to

and

I was looking at cer.live and wondering how reliable it is…

Replying to

and

And where did Celsius and Voyager sit on this list prior to freezing

Replying to

and

Can you rank exchanges based on probability of going illiquid in the next 1-3 months?

Replying to

and

At cer.live we accept self-hosted bug bounty programs with one exception. An exchange should send the documentation that proves its efficiency. Kraken did this one year ago.

Show more replies