news and opinion|26 August 2021|share

Bug Bounty Program with HackerOne announced for Cardano’s blockchain

Sidney VollmerHead of Brand & Communications

ZUG, 26 AUGUST 2021. The Cardano Foundation is pleased to announce a partnership with HackerOne on Cardano’s first Bug Bounty program. 

With over 250k valid vulnerabilities reported, HackerOne is perhaps the most prominent hacker powered security partner globally. Over the coming months, together with the Cardano Foundation, our joint Bug Bounty program will use the power of HackerOne’s ethical hackers and diligent procedures to help us ensure that the Cardano blockchain is the most stable and secure blockchain possible. The Cardano codebase will be tested for any performance bugs found which represent a critical vulnerability or potential exploit to core Cardano components. Through a bug bounty program, ethical hackers are incentivised to find vulnerabilities and responsibly report them so they can be fixed before serious damage is done.  

Jeremy Firster, Project Manager at the Cardano Foundation, elaborates on the necessity of the Bug Bounty Program: “Cardano is a leading blockchain ecosystem which aims to enable integrated blockchain solutions globally. It is our duty to maintain the highest standards and commitment to code transparency and reliability to ensure that the protocol remains viable for mission critical applications delivered around the world from individuals, start-ups, enterprises, financial institutions, and governments alike. 

This next step in security protection will help us be the most stress-tested and diligently maintained blockchain and is a clear signal to stakeholders the values we place on security and public safety. The continued growth in user activity and broader participation from financial institutions and the enterprise sector would expect no less from us.

In launching the bug bounty program for Cardano, HackerOne is the partner of choice given their large ethical hacker community, over 2,400 clients served, and more than 230,000 valid reports submitted. As the Cardano ecosystem continues to grow and new features are added to the ecosystem, it remains a priority to ensure the protocol is secure and that all bugs reported are addressed appropriately and transparently. The commitment to public security is another component of Cardano Commercially Critical Infrastructure (CCCI), a Cardano Foundation initiative to support the growing institutional capabilities of the Cardano ecosystem.”

Asked about their involvement with the Cardano Foundation Bug Bounty Program, Account Manager, Tor Abrams, from HackerOne responds: “We’re continuously testing, finding, and safely reporting real-world security weaknesses for organizations across all industries and attack surfaces. From The U.S. Department of Defense, to Dropbox and from Goldman Sachs to Google, HackerOne gives organizations access to the largest community of hackers on the planet. Armed with the largest database of vulnerability trends and industry benchmarks, the hacker community mitigates cyber risk by searching, finding, and safely reporting real-world security weaknesses for organizations across all industries and attack surfaces. 

No organisation is immune to security vulnerabilities. The only solution is to find and fix them before they are exploited by cybercriminals. Ethical hackers can find vulnerabilities that automated scanners miss, by thinking creatively and identifying places where bugs could be ‘chained’ together to provide an exploit. This is something a scanner would not pick up. Platforms like HackerOne can support organisations with providing triage services that reduce false positives and prioritise the most important activities. We also provide re-testing services to make sure vulnerabilities have been fixed.

While a high proportion of hackers (76%) are motivated by bounties, 85% of them are also doing it to learn and expand their skill sets and 62% do it to advance their careers. Hackers are also motivated by a desire to do good in the world, with 47% hacking to protect and defend businesses and individuals from cyber threats.” 

Hackers willing to participate can start hacking by visiting the program page: