Abstract

We present a protocol that collectivises security bounties for deterministically verifiable zero-day exploits. It enables companies to show customers how secure their software is, in terms of dollars staked on their open-source software stack. It also helps ethical hackers retrieve their bounties without ambiguity. Subjectivity and manual labour of triage-processes are eliminated for these exploits.

The protocol enables companies and users (stakeholders) to pool bounties on open-source security stacks in decentralised virtual machines (DVMs) containing read and/or write secrets. Stakeholders specify minimum responsible disclosure durations and a public key. Next, ethical hackers can submit an attack to such DVMs, by storing it in a decentralised encrypted locker (DEL), and notifying the DVM of its presence. Once the stakeholders see this notification, (along with the rest of the world), they can use their private key to retrieve the attack from the DEL (before the rest of the world). For each bounty placed on the DVM, a call is made to the DEL just before the end of the accompanying responsible disclosure time. This call verifies that the attack is still encrypted. After the respective responsible disclosure periods have passed, the DEL is decrypted and the attack is executed. Successful attacks compromise the DVM read/write secret, triggering bounty hunter payout.

This protocol enables ethical hackers to know, before starting work on their exploit, when they will retrieve a payout and how large that payout will be for publishing their exploits, in a winner-take-all market. At the same time, it allows small companies to stake money on open-source security alongside industry giants. This provides a transparent insight on economically rational hackers in the open-source software zero-day exploits segment of the cyber-security market. The accompanying whitepaper presents more details: https://github.com/trusec