Bug bounty programs have been around for years.
Government institutions, multibillion-dollar companies and some of the most reputable agencies have hired hackers to test their security systems in order to find and report any vulnerabilities before they could be maliciously exploited by third parties.
While the practice has become the norm for companies and institutions all over the world, darknet markets are only beginning to taste the benefits of running bug bounty programs.
Hansa Marketplace is a fairly popular darknet marketplace that has taken the incentive to fix their security issues by launching a bug bounty this month.
Considered a major darknet markets, Hansa is offering rewards based on the severity of the bugs found and the thoroughness of the report submitted.
Severe vulnerabilities that are found—such as those that could reveal a user’s IP address or disclose their personal information—are rewarded with 10BTC (approximately $10,000).
Vulnerabilities of lower severity will be rewarded with 1BTC ($1,000) or 0.05 ($50) BTC, as will be determined by the developers.
Bug bounties such as these are not only aimed at enhancing the security of darknet marketplaces, they are also aimed at motivating elite hackers to reveal weaknesses in the security systems to the darknet markets’ developers rather than hide them and exploit them for their own benefit.
Bug Bounties are a Multimillion-Dollar Industry
With the rapid rise in popularity, the bug bounty industry has developed into a multimillion-dollar trade that has just begun extending its reach into darknet markets.
Established bug bounty hunters have included big names from platforms such as Bugcrowd and HackerOne, and several other high-profile hackers who dedicate their time and skills to companies looking to improve their cybersecurity.
The Deep Web Niche in Dire Need of More than Just Bug Bounty Programs
Darknet markets have been the subject of criticism for years based on their “shoddy” security measures despite being one of the few areas of the internet where poor security translates to a prison sentence for many.
We don’t have to look far to see the consequences—the arrest and sentencing of Ross Ulbricht, founder of one of the most popular darknet markets to date, still rings clear in everyone’s mind.
Sarah Lewis, a privacy and security researcher working behind the OnionScan software, admits that although Hansa is one of the few darknet markets that is taking a step in the right direction, it is far from being a conclusive solution to the problem.
Based on the findings of the OnionScan software, which is designed to detect security vulnerabilities on Tor hidden services, darknet markets need a lot more than just a few proficient bug hunters.
She attributes the imminent catastrophic failure of most Tor hidden service websites to poor judgment at the software design level, which is the result of basing privacy software on web technologies that are not privacy-centric.
She suggests that a full refurbishment—from the servers, blog platforms, and web software—would be necessary to fully achieve a nearly impenetrable security system.
Hansa is the First among the Major Darknet Markets to Publicize Bug Bounty Program
Although darknet markets have always made use of the available hackers to get rid of kinks in their programs, it has usually been kept under the radar.
Hansa is the first major darknet market to initiate a bug bounty program.
Perhaps this move could have been spurred by the recent AlphaBay leak in which 218,000 private messages were revealed.
To make matters worse, a majority of the users displayed poor opsec by revealing real, unencrypted addresses, and private and personal information directly in these private messages, possibly because they felt that AlphaBay could provide adequate security.
And while PGP encryption remains an option for most darknet markets on the deep web, very few can even dare negotiate the nuances involved since it is very easy for things to fail catastrophically.