The Hyperledger project has opened the doors of its bug bounty program to the public.
Hyperledger is an open-source project and hub for developers to work on blockchain technologies.
According to information security experts, Hyperledger infrastructure is being developed in order to support cross-industry uses of distributed ledger technologies, most commonly associated with the exchange of cryptocurrency.
Hosted by the Linux Foundation, Hyperledger focuses on cross-industry support for distributed ledger frameworks, smart contracts, and libraries, and already supports a range of business-based blockchain frameworks and transactional applications.
While Hyperledger is an important initiative for businesses to utilize the blockchain safely and with a potential ROI, security is a crucial ingredient of the project’s success.
Over the past six months, the Hyperledger information security team has operated a private bug bounty program with HackerOne. This allowed developers and security researchers to test the waters, ironing out any communicative or disclosure issues before going public.
Now, Hyperledger has a public bug tracker, a full vulnerability disclosure policy, and compliance systems in place. The next stage, revealed on Tuesday by Hyperledger team member Dave Huseby, is the launch of a public bug bounty program.
The public program only includes Hyperledger Fabric at present as a target for bug hunters to ferret out vulnerabilities, but Hyperledger Sawtooth and other frameworks are on the radar and are expected to be added to the program soon.
HackerOne is hosting and administering the program. Rewards range from a minimum of $200 for a low-severity bug to at least $2000 for the discovery of a critical vulnerability.
“At Hyperledger we have a broad base of committed developers and it is their professionalism that makes our security process solid and straightforward,” Huseby says.
Last year, Hyperledger has formalized how blockchain projects can move from development to their first 1. 0 release. This process now includes a number of security requirements, including meeting the demands of the Core Infrastructure Initiative (CII), which sets “best practice” requirements for open-source project security, information security researchers said.
In addition, up to three members of a project must be nominated to the Hyperledger security team to help triage and resolve vulnerabilities.
Hyperledger projects must also undergo a security audit from an external auditor, and now by adding the public bug bounty program, all of these requirements may be made easier with the help of a community of information security researchers.