Category: Telegram

Buy, Sell, Trade Bitcoin with Credit Card & 100+ Cryptocurrencies @ BEST rates from multiple sources, Wallet-to-Wallet, Non-Custodial!

Telegram’s TON Launch and Token Distribution — All the Details to Date

TON was hurtling toward public release until the SEC stopped it dead in its tracks. Here is everything known about the project so far. In just the last few months, the entire landscape of the crypto industry has changed. Innovation once came from within, with a number of early influencers earning god-like status among the…
Read more

Telegram Bombshell, Zuckerberg to Testify, Ripple Row: Hodler’s Digest, Oct 7–13

The SEC halts Telegram’s $1.7 billion token offering in a massive setback for TON, and Mark Zuckerberg is going to testify in front of Congress. Coming every Sunday, Hodler’s Digest will help you track every single important news story that happened this week. The best (and worst) quotes, adoption and regulation highlights, leading coins, predictions…
Read more

Telegram Responds to Investors on SEC Action, Hearing Set for Oct. 24

Telegram does not agree with the SEC’s recent action and claims it has been trying to solicit feedback from the agency for the past 18 months. Telegram Open Network (TON) developers responded to its investors after American regulators abruptly announced that its $1.7 billion token sale was illegal. No clear feedback from SEC for 18…
Read more

Telegram’s TON Board ‘Takes a Break,’ Removes All History From Channel

Private Telegram Open Network channel TON Board announces a temporary halt and removed all previous posts. Following a recent red flag from United States. regulators, a private Telegram channel for Telegram Open Network (TON) is taking a break. Temporary halt for more clarity On Oct. 12, TON Board channel on Telegram announced a temporary halt…
Read more

US SEC Halts TON Launch Over $1.7B ICO — Highest-Level Action Yet?

The SEC is suing Telegram over the $1.7 billion ICO, is it the mark a new wave of regulatory scrutiny on the U.S. market? Late Friday, the United States Securities and Exchange Commission (SEC) announced that it is suing two offshore entities, Telegram and its wholly owned subsidiary, TON Issuer, for holding an unregistered token…
Read more

Breaking: US SEC Deems $1.7 Billion Telegram Offering Illegal, Orders Halt

The U.S. SEC announces an emergency action against Telegram’s initial token offering, which has already raised over $1.7 billion. The United States Securities and Exchange Commission (SEC) has announced that Telegram and the forthcoming GRM token constitute an unregistered digital token offering. Per an Oct. 11 press release, the SEC has filed an emergency action…
Read more

Decentralized Communication Startup New Vector Raises $8.5M

British decentralized communication startup New Vector has raised $8.5 million to promote an alternative messaging protocol. London-based decentralized communication startup New Vector has raised $8.5 million to drive adoption for Matrix, a major alternative messaging protocol. Slack rival Riot.IM The Matrix protocol, which enables secure communication via end-to-end encrypted messaging applications such as Riot.IM, an…
Read more

TON’s Value to Surpass $20B Over 5 Years, Says New Research

Telegram Open Network’s value is expected to surpass $20 billion over a five-year horizon, according to Decentral Park Capital’s research. Telegram Open Network’s (TON) value is expected to surpass $20 billion over a five-year horizon, according to a new research by New York-based blockchain venture and digital assets fund Decentral Park Capital. “A sleeping giant…
Read more

Anchorage Becomes First Qualified Gram Custodian Ahead of Oct. 31 Launch

Anchorage Trust Company, a wholly-owned subsidiary of California-based Anchor Labs, states that it became the first qualified custodian of Telegram’s Gram token. Digital asset custodian of software firm Anchor Labs has stated that it became the first entity qualified to support institutional custody for Telegram’s Gram (GRM) token. Gram to launch on Oct. 31 Anchorage…
Read more

Bug Bounties in Crypto — the Best Way to Ensure Platform Safety?

Hacker bounties: Who are the biggest spenders, why companies need them, and are they really needed?

Crypto companies often find out the hard way that hackers know their security systems better than they do. As hacks in the crypto world can and often do result in hundreds of millions of dollars worth of tokens being stolen, the fate of a company’s future can often ride on its security measures. In an effort to batten down the hatches, companies offer bug bounties. 

These bounties are essentially competitions in which hackers are encouraged to try to compromise software. The hackers then submit a vulnerability report to the respective companies so that they are able to patch the bugs before they are exploited. As a reward, successful hackers are paid a bounty. 

Most companies offer bounties on a staggered scale, with the reward price corresponding to the severity of the bug. Bounties start from around $50 to $100 for low-level fixes and are usually capped at around $10,000 for critical bugs. In a few rare cases, hackers have been awarded more. 

Katie Moussouris, founder and CEO of Luta Security, who launched both Microsoft and the Pentagon’s first bug bounties, explained to Cointelegraph how the bug reward schemes can be of use: 

“Bug bounties are most useful and efficient as a supplement to proactive security activities focused on preventing and detecting vulnerabilities inside organizations first. Once organizations have established good security practices, bug bounties can help identify security bugs that organizations missed. Bug bounties on their own aren’t enough.”

Most companies that develop software have bug bounties. In the crypto world, the need for such programs is equally important, regardless of company size. According to a report conducted by HackerOne, companies paid out $878,000 in bug bounties in 2018. Guido Vranken, a Dutch researcher who received a $120,000 payout from EOS after discovering 12 bugs within seven days, told Cointelegraph that the stakes are high for crypto companies: 

“For a global digital currency there’s arguably a lot more at stake than many other projects or websites. Theft of assets is the most tangible example, but due the synergy between publicity and exchange rates, net losses might also result from a widely publicized vulnerability.”

One of the most recent bug bounties comes from the global messaging app Telegram. Announced on its Telegram Contests channel on Sept. 24, the company is calling for developers to exploit the TON blockchain and submit a vulnerability report. 

If hackers can exploit a bug in the TON blockchain to the extent that they are able to steal funds from the wallet of another user, Telegram will pay out up to $200,000, a sum that matches Augur’s critical issue bounty as one of the largest rewards in crypto history. The contest is taking place against the backdrop of the hotly anticipated launch of Telegram’s native digital token, Gram, in late October. 

EOS takes the top spot

Although it’s tempting to think that smaller, newer companies may be the most active in providing bug bounties, Block.one, the company behind EOS, took the top spot in 2018 for bounty rewards with $534,500, paying out 60% of all bounties that year, according to a report.

According to the EOS profile on HackerOne, the company will pay a maximum of $1,000 for a low-risk report and a maximum of $10,000 for a critical report. The profile also notes that the final amount is always decided at the discretion of a reward panel, with higher rewards given to exceptional vulnerabilities. 

EOS bounty guidelines

Following the launch of the EOS bounty program in May 2018, Vranken explained how the company had tightened up its approach to security in the wake of his discoveries: 

“Reported bugs were quickly analyzed and fixed in their public repository. At first the process was very ad-hoc because [EOS CTO] Daniel Larimer and I were sending files back and forth on Telegram, but they’ve since started to run a bug bounty program on HackerOne which I think is in the best interest of both bug finders and the EOS team.”

EOS has continued to pay out rewards to hackers in 2019, handing out bug bounties for five critical vulnerabilities so far. On Jan. 10, EOS awarded a total of $40,750 to five white hat hackers through HackerOne, with another researcher receiving a further $10,000 bounty. 

Coinbase is the second-biggest spender 

One of the world’s largest cryptocurrency exchanges, Coinbase, is the second-largest spender on bounties, allocating a total of $290,381 in 2018. The company has experienced a number of high-profile issues since experiencing a significant increase of users in mid-2017, resulting in delayed or missing funds as well as service blackouts. 

The company gave out a further $30,000 in rewards in February 2019 for reporting a critical bug, according to Coinbase’s vulnerability disclosure program. At the time, the bug earned the largest-ever reward on the platform, although the details of the bug were not made public. Coinbase operates a four-tier bounty program in which it will pay $200 for a low-risk case, $2,000 for a midlevel issue and up to $50,000 for critical bugs.

According to Coinbase’s HackerOne profile, a critical impact exploitation comprises a situation in which attackers “can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.”

Related: Monero Reports on Resolving Fake XMR Minting Bugs a Month After Fix

The company also laid out its guidelines for assessing low-impact issues: “Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of system.”

With regard to fixing reported issues, the company has a history of being slow on the uptake. After a Dutch company discovered a smart-contract glitch that allowed users to steal “as much as they want” in Ethereum (ETH), Coinbase reportedly took a month to fix it. Coinbase paid out a $10,000 reward to the company behind the discovery. 

Tron comes in third

The Tron Foundation, which is behind the TRX coin, was the third-largest spender on bug bounties, totalling $78,800 for 15 reports. As of now, the company has paid a total of $85,400 in bounties, with its highest, at $10,000, going to HackerOne user nu11pe for an undisclosed report. 

The company’s bounty program will pay $100 for a low-risk vulnerability, $3,000 for medium-risk, $6,000 for high-risk and up to $10,000 for critical issues. Tron’s HackerOne profile describes critical faults as “bugs which can take control of java-tron nodes by remote execution of any code,” as well as those that can cause private key leakage. 

In May, the company disclosed a critical vulnerability that could have brought down its blockchain. The announcement on HackerOne states that an attacker could have engulfed all available memory though a distributed denial of service, or DDoS, attack on the TRX network by implementing malicious code in a smart contract

The company added that one individual could carry out the DDoS attack using a single machine to attack all or 51% of the senior node, thereby rendering the network unusable. Although the bug was reported on Jan. 14, it was only publicly announced after it had already been fixed. The researcher behind the vulnerability was awarded $1,500. 

Bug bounties are not a perfect system

While bug bounty programs clearly create a healthy environment in which companies reward ethical hacks on their systems, the concept is not without its critics. Most recently, prominent crypto figure Dovey Wan criticized Telegram’s decision to open up development on its smart contract. Wan appeared to criticize the event as an example of the company failing to reinvest in its software development processes, saying:

“Sorry but a project raised over a billion, with over 500mm users can’t even properly make a reasonable block explorer? I have to doubt what’s the priority level of this TON network within Telegram’s team and how they will use their mega treasure on crypto-related stuff.” 

Luta Security CEO Katie Moussouris told Cointelegraph that although bug bounties are effective for pointing out important loopholes in existing security structures, they are no replacement for having a dedicated security process in place: 

“Companies can’t use bug bounties as a cheap alternative for due diligence in security. Simply asking strangers to point out flaws without having the capacity to fix them is one way overusing bug bounties can quickly overwhelm organizations.”

Vranken outlined his view to Cointelegraph that, based on his experience as a researcher, a crypto company with a bug bounty program indicates that the company can be trusted: 

“I’d sooner trust a cryptocurrency project that has a properly operating bounty program in place than one that doesn’t. This stance is shaped by my experience as a researcher and my awareness of the fact that even widely used software is not necessarily undergirded by serious scrutiny of its code without a proper incentive.” 

Vranken went on to add that it is extremely difficult to build software without bugs, no matter the level of talent or amount of money put forward:

“If nothing else, a bug bounty program establishes a formal channel for reporting bugs and signals non-hostility towards researchers by vowing to appreciate their work (through financial compensation).”

The current bug bounty system relies on hackers acting responsibly, either out of moral inclination or by the rewards offered. While it may seem feasible that hackers could hold out for more money than advertised in the scheme or sell details of the flaw to competitors, Moussouris said that the demand for such information is not as high as many perceive: 

“There are not infinite bug buyers waiting to buy up every bug — that’s a common myth. However, in cryptocurrency, there are likely more buyers for bugs than in other areas. That being said, if bug hunters prioritize profits, they may very well choose to exploit rather than sell the bugs they find in cryptocurrency, for more direct profit.” 

Although the rewards advertised by both cryptocurrency and software companies around the world may give the impression that bug bounty hunting can offer a lucrative career, the reality is that competition is high and access is not evenly divided. Moussouris explained to Cointelegraph that those who are invited to private bug bounties often have a competitive edge: 

“It is usually a lot of work that goes uncompensated, especially if the types of bugs the hunter knows how to find are relatively common classes of bugs. Only the first person to report a particular vulnerability gets paid, so bug bounty hunters who are the most successful tend to be the ones who are invited to private bug bounties with fewer competitors.”

For Vranken, bug bounty hunting is a mixed bag, as the reward does not always match up to the time put into a project: 

“Compared to contractual work which stipulates effort and reward in advance, bug bounties can be elating (when you come upon a trove of bugs that gets rewarded profoundly) or frustrating (spending a lot of time on something without achieving results, or receiving a lower reward than you expected).”