We came away from ETH Berlin with two overarching impressions: first, many developers were hungry for any guidance on security, and second; too few security firms were accessible.
When we began taking on blockchain security engagements in 2016, there were no tools engineered for the work. Useful documentation was hard to find and hidden among many bad recommendations.
We’re working to change that by: offering standing office hours, sharing our aggregation of the best Ethereum security references on the internet, and maintaining a list of contact information for bug reporting.
We want to support the community to produce more secure smart contracts and decentralized apps.
Ethereum security office hours
Once every other week, our engineers will host a one-hour video chat where we’ll take all comers and answer Ethereum security questions at no cost. We’ll help guide participants through using our suite of Ethereum security tools and reference the essential knowledge and resources that people need to know.
Office hours will be noon Eastern Standard Time (GMT-5) on the first and third Tuesdays of the month. Subscribe to our Ethereum Security Events calendar for notifications about new sessions. We’ll also post a sign up form on our Twitter and the Empire Hacking Slack one day ahead of time to help solicit for topics to cover.
Crowdsourced blockchain security contacts
It’s a little ironic, but most security researchers have struggled to report vulnerabilities. Sometimes, the reporting process itself puts unnecessary burden on the reporter. The interface may not support the reporter’s language. Or, as Project Zero’s Natalie Silvanovich recently shared, it may come down to legalities:
“When software vendors start [bug bounties], they often remove existing mechanisms for reporting vulnerabilities…” and “…without providing an alternative for vulnerability reporters who don’t agree or don’t want to participate in [a rewards] program for whatever reason.”
We routinely identify previously unknown flaws in smart contracts, decentralized applications, and blockchain software clients. In many cases, it has been difficult or impossible to track down contact information for anyone responsible. When that happens, we have to leave the vulnerability unreported and simply hope that no one malicious discovers it.
This is not ideal, so we decided to do something about it. We are crowdsourcing a directory of security contacts for blockchain companies. This directory, Blockchain Security Contacts, identifies the best way to contact an organization’s security team so that you can report vulnerabilities directly to those who can resolve them.
If you work on a security team at a blockchain company, please add yourself to the directory!
Security contact guidance
The directory is just the first step. Even with the best of intentions, many companies rush into bug bounties without fully thinking through the legal and operational ramifications. They need guidance for engaging with security researchers most effectively.
At a minimum, we recommend:
- Setting up a security@ email address that delivers directly to your security team.
- Following this brief Guide to setting up a Vulnerability Disclosure Program.
- Adopting disclose.io’s best practices around safe harbor for good-faith security research.
Ethereum security references
Over the course of our work in Blockchain security, we’ve curated the best community-maintained and open-source Ethereum security references on the internet. These are the references we rely on the most. They’re the most common resources that every team developing a decentralized application needs to know about, including:
- Resources for secure development, CTFs & wargames, and even specific podcast episodes
- Security tools for visualization, linting, bug finding, verification, and reversing
- Pointers to related communities
This is a community resource we want to grow as the community does. We’re committed to keeping it up to date.
With that all said, please contact us if you’d like help securing your blockchain software.
Pingback: How contract migration works | Trail of Bits Blog