PS Coin, a bitcoin exchange that seeks to incentivize positive behavior among traders, believes it has made its mark in challenging cryptocurrency researchers to win bounties for finding holes in its security.
The exchange on Friday reported a massive spike in security bounty attempts but not a lot of bounties. After issuing its security bounty challenge in early February, the site initially averaged one to two reports per day. This past week, activity spiked. There were 11 reports Wednesday, 32 Thursday, and on Friday there was one report per minute.
Daniel Pusateri, a co-founder of PS Coin, told CCN.com Friday that he is not sure why the activity has spiked but suspects that it has grabbed a lot of attention in the cryptocurrency researcher community.
“We have suspected that PS Coin might be listed in the deep web (not ‘dark’) somewhere at this point, such as perhaps on a hacker or security researcher forum that we can’t openly see using Google,” Pusateri told CCN.com. “It may even be just some social networking in closed Facebook groups. I truly do not know at this point, but I have a sense that there is probably a hidden security researcher community or communities, online somewhere, and we must have stirred up the hornet’s nest a bit.”
PS Coin rewards any party that reports a previously undiscovered, sufficiently significant, security issue or vulnerability. PS Coin determines the reward based on the significance of the issue or vulnerability found. As of Friday, the PS Coin website listed seven bounty winners, and a total 1.67 BTC awarded. The individual rewards range from 0.05 BTC to 1.06 BTC. The 1.07 reward is for a CSRF vulnerability.
Any security issue or vulnerability that has the potential for either financial loss or the breach of data can qualify for a bounty, including, but not limited to:
• Cross-site-scripting (XSS)
• Cross-site request forgery (CSRF)
• Authentication bypass or privilege escalation
• Click jacking
• Remote code execution
• Obtaining user information
Pusateri said PS Coin allowed players on the Dragon’s Tale bitcoin gaming site to request an invite the day before accepting security tests. PS Coin also posted the information on various forums the day before security tests began.
PS Coin’s website has a “bounties” page with a colorful “wanted” poster showing a caricature of a bug offering a 2.0 BTC reward. The amount of the bounties can be above or below 2.0 BTC, Pusateri said.
“I think it’s becoming a competitive/bragging factor now, but it’s also both a badge of honor and something they can put on their resumes because of the difficulty involved in claiming a PS Coin bounty,” Pusateri said.
He noted the following quotes from two researchers who sought a listing on the bounty winners list:
• “I’m feeling it to be a real honor to be in your hall of fame.”
• “So can I see my name at your security hall of fame page for this find? It really helps me and my carrier much.” This person did not meet the requirements to be listed, but was given a small bounty for the creativity of sending a photo of him and his puppy into PS Coin’s encrypted verification system.
About a quarter of the researchers make two attempts to find security issues. “The emails we receive are often thousands of words long and we receive a lot of videos, too, so I think they consciously decide ahead of time that ‘I’m only going to invest this much time to see if I can claim a bounty.’ In a way, I think it’s gambling time for them.”
Pusateri said the security bounty has helped PS Coin’s reputation. “We are very serious about security. We started development of PS Coin in late 2013 and have put an enormous amount of focus, energy and resources into just security implementations for PS Coin. We absolutely believe that we are the most secure exchange online today.”
PS Coin’s website explains that it uses a decentralized, two-factor security called PS Key. The system uses no shared secrets like standard RFC 4226 (HOTP) and RFC 6238 (TOTP) two-factor implementations, and the cryptography is 1.2*10^70 times stronger.
Users have full control over their two-factor security keys and can disable or change them at will independent of any applications, websites, or services that the keys are protecting. The same keys can be safely used to protect multiple services.
Images from Shutterstock and PS Coin.