Q: Why did Deribit launch a bug bounty program?
A: I like to view security as an onion where each additional layer provides additional protection to the core. The risk of getting hacked is a function of the target attractiveness (based on possible gains) and the number of security layers. The more security layers you add, the better your core is protected and the lower your risk.
By launching a bug bounty program, we added another security layer to secure our clients’ assets.
Q: In the crypto space, security is often associated with trust. How does Deribit ensure that its bug bounty program strengthens trust with its users?
A: In crypto, we say, “don’t trust, verify.” Deribit implements security best practices and complies with ISO 27001 and SOC 2 Type 2 controls. We run pentests and red team exercises both on a regular basis and before launching new features. The bug bounty program adds another layer of security review and offers a legal route and financial rewards to anyone discovering a bug in Deribit.
Q: Why did Deribit choose HackerOne to manage its program?
A: You are only as secure as your weakest link. HackerOne has the largest community of security researchers, all with different skill sets, experience, and expertise, ensuring complete coverage of our assets so that no area is overlooked. Additionally, since its inception, Deribit has advocated for cryptocurrencies and the power and freedom they enable. HackerOne is one of the rare platforms that offers security researchers the possibility of receiving payments in crypto, which aligns with our values.
Q: Have you had any memorable interactions with security researchers to date? Favorite bugs?
A: A few years ago, a security researcher reported a bug anonymously and never claimed the ticket. We invested the time to track him down so that we could reward him. We want security researchers to hunt on our program, and we want to reward them handsomely for it!
Q: With the rapid evolution of blockchain technology, what unique security challenges does Deribit face, and how does the bug bounty program help address them?
A: Blockchain and crypto are secular and rapidly evolving industries, and most of the products have not yet stood the test of time. To make matters worse, the amount of money and the irreversibility of transactions make crypto companies a very attractive target to malicious individuals and APT (advanced persistent threat) groups. The bug bounty program helps us find vulnerabilities before malicious actors and constantly trains our security team to detect and respond to potential threats.
Q: Anything to say directly to the security researcher community?
A: Deribit has had a bug bounty program for 6 years already. We started as a self-hosted program and then turned to a managed program (first on Bugcrowd and now on HackerOne). This dedication to evolving our bug bounty program shows how valuable security researchers have been in securing the exchange. We have loved the journey; meeting new people, talking payloads, and learning novel attack techniques. We’re so grateful to the security researchers who have reported issues through our bug bounty program. Keep on hacking!