Blockchain ecosystem ARK today announced the obtainment of security and penetration testing services from Bugcrowd, a leading crowdsourced security platform. Highly skilled and trusted white hat hackers from all over the world will try to breach the ARK hull and attempt to expose vulnerabilities before they pose a risk to the ARK Ecosystem.
Working with Bugcrowd, ARK can tap into a global community of over 100,000 expert researchers who use varying techniques to identify 7 times as many critical issues, 80% faster than traditional solutions can.
The list of Bugcrowd customers include companies including Netflix, Tesla, Dash, Binance, Netgear, Pinterest, Atlassian, Invision, Motorola, Hewlett-Packard, Barracuda Networks, Western Union, Fiat/Chrysler, Digital Ocean, and more.
ARK will be taking advantage of a full array of services offered by Bugcrowd, including both private and public programs. The private program is set to begin this week, while the public program will begin in early January 2019. Final features and further details will be announced later on when the public programs begin. The first item on deck for testing will be the release of the new ARK v2 Core.
How it Works
A Bugcrowd Security Researcher discovers and submits a finding to Bugcrowd. This submission is reviewed for uniqueness, tested, reproduced and once validated, is quickly escalated to the ARK team. In turn, it is reviewed with attempts to patch the finding. Findings that may be critical are pushed to the team in under 24 hours. ARK can directly converse with the researchers, and has access to all conversations between the security researchers and Bugcrowd. As a result, critical bugs get fixed and patched much sooner than less critical ones.
Vulnerability Rating Taxonomy
ARK will be using Bugcrowd’s VRT, a resource that outlines Bugcrowd’s baseline priority rating. Included are certain edge cases for vulnerabilities that are frequently seen. To arrive at this rating, Bugcrowd’s security engineers start with generally accepted industry impact and further consider the average acceptance rate, average priority, and commonly requested program-specific exclusions (based on business use cases) across all of Bugcrowd’s programs.
Bugcrowd’s VRT is an invaluable resource for bug hunters as it outlines the types of issues that are normally seen and accepted by bug bounty programs. The VRT can also help researchers identify which types of high-value bugs they have overlooked, and when to provide exploitation information (POC info) in a report where it might impact priority.
Why Crowd Sourced Security?
There is a disconnect between the motivations of network attackers, and those of developers and security defenders. Crowdsourced security eliminates this imbalance by harnessing white hat security researchers to find and eliminate vulnerabilities, providing rapid and focused results. The most critical attack surfaces are examined including web and API interfaces on server/cloud, mobile, and IoT platforms. The security researchers are trusted and highly vetted, diffusing the concerns of risk associated with crowd sourced security.
“While the ARK team and the community know the blueprint of their ship quite well, it is often the eyes of outside examiners who can provide a fresh look from a different angle. Bugs and security vulnerabilities can be found that may never have been apparent to the ARK team. The massive increase in efficiency of crowd sourced pen-testing will allow ARK to reach maximum security in far less time than if we rely on an internal team. Ultimately, it is our highest priority to provide the most secure platform possible to the users of ARK.”
Discussion