Responsible Disclosure for Cryptocurrency Security
Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software.
Why can’t the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws are found? Two reasons: First, many customers don’t have an ongoing relationship with the hardware and software providers that protect their funds—nor do they have an incentive to update security on a regular basis. Turning to a new security provider or using updated software creates risks; leaving everything the way it was feels safer. So users won’t be rushing to pay for and install new security patches.
Second, cryptocurrency is famously and deliberately decentralized, anonymized, and low friction. That means that the company responsible for hardware or software security may have no way to identify who used its product, or to get the patch to those users. It also means that many wallets with security flaws will be publicly accessible, protected only by an elaborate password. Once word of the flaw leaks, the password can be reverse engineered by anyone, and the legitimate owners are likely to find themselves in a race to move their assets before the thieves do. Even in the software industry, hackers routinely reverse engineer Microsoft’s patches to find the security flaws they fix and then try to exploit them before the patches have been fully installed.
He doesn’t have any good ideas to fix this. I don’t either. Just add it to the pile of blockchain’s many problems.
Eric Michaud • September 9, 2022 9:09 AM
We’ve been discussing this exact problem with Stewart who is an advisor to my company Unciphered. https://www.unciphered.com/about-the-team
There have been developments in our Vulnerability Research where we now are trying to figure out how to Responsibly Disclose these exact problems that could cause an event just like the Solana hack for others: https://financialpost.com/fp-finance/cryptocurrency/hackers-steal-millions-from-solana-wallets-in-latest-hit-to-crypto
If it leaks early you would see more wallet thefts.
Hopefully we as an industry can find a path forward. Happy to chat with anyone who wants to help move this ball closer to end zone and resolve this gap.
Anyone who wants to contact directly eric@ will work.