IOSG Weekly Report: Cluster Wisdom in the Security Field — Community-Driven Bug Bounty and Audit Markets

IOSG Weekly Report: Community-Driven Bug Bounty and Audit Markets for Security

An IOSG researcher has written an article introducing what bug bounty and audit competitions are, and comparing the two. The researcher believes that decentralized bounty and audit competition platforms have not yet found a particularly effective token model, but is very optimistic about the future of this market for achieving scalable growth.

In the traditional Web2 network security field, bug bounty platforms are also a relatively young direction (emerging after 2012). In the Web3 security field, all web3 bug bounty and auditing competition platforms distributed a total of $50 million in rewards to white hat hackers in 2022. The average fee level for such platforms is around 10% to 30%, so the conservative estimate for the current market size is around $5m to $15m, making it a very emerging market. In today’s increasingly crowded traditional security auditing market, will decentralized security services be an important increment to this market? (Currently, there are 56 auditing companies on the market, and the top companies had annual revenues of $10 million to $40 million. I think the imagination space for decentralized security market is very large).

Bug bounty platform vs. Auditing competition platform: 1) Participation: On bug bounty platforms, projects are usually open, and anyone can participate. Participants usually explore and report vulnerabilities independently in exchange for rewards. If two people discover the same duplicate vulnerability, the principle of first come, first served is followed, and whoever submits the report first will receive the reward. Community-driven auditing competition platforms usually have time limits for participants to compete to find and report vulnerabilities within a specific time frame. Compared with bounty platforms, some teams will cooperate on competition platforms. In addition, if two auditing competitors discover duplicate vulnerabilities within the specified time, both can receive rewards.

2) Reward structure: The actual rewards for both platforms primarily consider the severity of the discovered vulnerabilities. The only difference is that community-driven auditing competition platforms like Code4Rena allocate a fixed percentage (5% to 10%) of the prize pool to Lead Senior Auditor and Lead Judge because they actually assume the role of project managers in traditional auditing companies. On bug bounty platforms, the project party sometimes places project tokens as rewards. 3) Scope and focus: The project scope on bug bounty platforms is usually broad, while projects on auditing competitions usually have a more focused scope, targeting specific software functions or aspects, and requiring white hats to concentrate their efforts to complete the work in a shorter time.

How to build a hacker community? After observing different decentralized security communities and talking to some security entrepreneurs, we believe that all decentralized platforms are committed to building a healthier and more efficient communication and collaboration platform. A bounty platform is like a marketplace between hackers and projects. They need to consider the needs of hackers from their perspective while also considering the auditing quality that project parties care about.