The Libra Association is opening up its Bug Bounty program to the public, asking security researchers across the globe to “dig deep” and “find even the most subtle bugs” within the Libra blockchain.
In a post on the official Libra blog on Tuesday, Head of Developer Ecosystem Michael Engle emphasizes that it’s more important than ever that we find issues while Libra is in its testnet phase and “no real money is in circulation.”
To back this up, the Libra Association is offering up to US$10,000 [AU$14,845] to those that find “the most critical issues.”
What to focus on
According to Libra’s HackerOne page, the most critical issues to protect against are:
- Transactions Tampering
- Block Tampering
- Validator Compromise
- Denial of Service
- Double Spending
The Libra testnet will run Libra Core – the technology behind the cryptocurrency itself.
It is currently powered by “test validator nodes” that will maintain the asset in the future, but as of now will utilize a currency that has no value.
From bugs to dollars
As of this writing, only one user, “michaelx”, has found a bounty for $1,500. That price falls under Libra’s “Medium” severity category – one of four tiers total in the program.
The first tier is “Low,” which pays out $500. These bugs could be a simple vulnerability in the Libra network or wallet.
The aforementioned “Medium” tier pays out $1,500 and could consist of authentication issues or vulnerabilities a little more severe than the previous tier.
The “High” tier could be a bug that causes a system crash or significant performance hit and pays $5,000 per find.
Finally, we have the “Critical” tier, which pays out $10,000. This tier consists of any bugs that could allow fraud or the alteration of smart contracts, among other severe vulnerabilities.
Libra’s public expansion
Of course, this isn’t Libra’s first bug bounty test run. In June of this year, the company opened up its testnet and 50 blockchain security experts were brought in to analyze the platform and stabilize it before opening things up to the public.
Libra and its wallet companion, Calibra, aren’t set for release until at least 2020. But, thanks to growing concerns from the United States Congress and countries around the world – and Facebook’s own less than stellar track record with data privacy – the Libra Association is paying very strict attention to its privacy and security measures.
In a statement shared with VentureBeat, the Libra Association’s head of policy and communications, Dante Disparte, spoke about the bug bounty program:
“We are launching this bug bounty now, well before the Libra Blockchain is live. Our hope is that people around the world can turn to Libra for their everyday financial needs, so the infrastructure must be dependable and safe,” he said.
“It’s important to note that the Libra Blockchain remains in testnet, which is an early-stage version of the code that is far from final.
“We remain committed to taking the time to get this right, and we will not launch the Libra Blockchain until regulatory concerns have been taken into account and required regulatory approvals have been received.”