Now that you’re armed with a bug bounty, you need to be armed with knowledge on operational security (opsec), so that you can run your bug bounty program safely and successfully.
Web3 projects are targets of increasingly sophisticated attack vectors - and not all of them target smart contracts directly. In fact, we’ve noticed that many of the top blackhats and blackhat groups are putting more emphasis on social engineering and phishing.
Sometimes, blackhats will use the fact that you have a bug bounty as a pretext to approach you and attempt to own your project. This is a guide of opsec best practices to keep you and your bug bounty program safe. Following this guide closely is the definition of taking security seriously.
A whitehat is an ethical security hacker/researcher. Whitehats show their dedication to ethics by adhering to the Immunefi Rules and responsibly disclosing bugs to bug bounty programs via Immunefi.
A blackhat is a malicious hacker that fails to follow the Immunefi Rules and reasonable standards of conduct. Blackhats generally do not use Immunefi. Instead, they attempt to threaten, extort, or exploit projects directly using smart contract bugs, phishing, malware, etc. for illicit financial gain or other unethical reasons. Sometimes, security researchers start out as whitehats on Immunefi, but then later start engaging in unethical behavior. Immunefi takes ethics violations seriously and will warn or permanently ban hackers for unethical behavior.
Here are some basic opsec best practices to follow, in order to keep yourself and your project secure:
For your bug bounty program
It’s important to understand the intention of the bug finder, avoid miscommunication, and be transparent. In many cases, issues arise because of a gap in communication and transparency during the process.
- Operate with suspicion, but treat good actions with trust. If a hacker is bringing you working knowledge of a vulnerability in your system via Immunefi, treat them well for being a whitehat. Your project and bug bounty program’s reputation and security will improve. If a hacker is only providing hints that they found a vulnerability, or not enough information to fix the problem, or attempting to gain information or money from you, then they are acting unethically. You should alert us of any bad behavior by requesting help from Immunefi’s mediation team.
Managing your program
- Do not communicate outside of Immunefi with hackers who report bugs through Immunefi. All communication should take place via the Immunefi dashboard in order to protect projects from potential blackhats. Immunefi cannot provide assistance or support if we don’t have visibility to previous communication. Sometimes, blackhats posing as whitehats will communicate directly with projects in an attempt to threaten, gain sensitive information, or send malicious files, etc. If a hacker tries to send you bugs directly, inform them that they need to submit the bug through the Immunefi dashboard and keep all communications there. You don’t know if the bug submission is legitimate or not, and reports on Immunefi will create a helpful paper trail.
- If you are contacted directly and you have a gut feeling it may be a malicious communication, make sure to note the username or ID of the person contacting you and make sure to take screenshots as the messages come in. Blackhats often delete threatening or malicious messages shortly after they send them.
- If an Immunefi employee contacts you via email, Telegram, Discord, or other means, you always have the right to verify that they are an Immunefi employee. See this page on how to verify Immunefi employees: https://immunefi.com/employee-verification/
- If you feel that you are being targeted in any way via your bug bounty program, contact Immunefi immediately via your client chat with us. We’ll assess the situation and make the appropriate recommendations.
For your business
Social engineering awareness
- Keep up to date on the latest hacks and infiltration attempts in the space, so you know what to look for. DarkReading is a good source. Attack attempts won’t be as simple as an obvious scammer sending you a weird, random email, asking you to click on a suspicious-looking link. Blackhats will always try to build a connection and a relationship with you, so that they have a pretext for sending you a link or some kind of file they want you to click on. Be wary of social engineering attempts that lead to phishing, rather than just direct phishing attempts out of the blue.
- Be aware that you may be targeted by sophisticated state-sponsored hacking groups, like the Lazarus Group run out of North Korea. These groups have serious time to put into social engineering and phishing attempts, so don’t assume that all hostile social engineering or phishing attempts on you or your project will be simple or obvious.
- Talk to your team members about social engineering and phishing scenarios as you hear about them in the news. Sharing information about novel social engineering and phishing attack vectors makes it less likely that one of your team members will fall victim to an attack. It is not enough that you are personally secure. Everyone on your team has to be secure.
- It’s important to remember that some social engineering may take place in the physical world as well. It does not take much personal information about you to find your physical location. Make sure that when you leave the house, your doors are locked and your devices are password-protected. If you would feel more comfortable with a home security system, purchase one.
Information security best practices
- Do not download and open PDF/Word/executable documents or files on your computer that are sent directly to you. Blackhats may be able to own your machine with a single click. You can preview PDF/Word documents safely in Gmail, or you can also open them on a sandboxed virtual machine. If you’re suspicious of a particular file, you can upload it to Virus Total for further analysis. When you download it in order to upload it to Virus Total, do not even click on the file to preview it, as that could possibly result in a script being executed on your machine as well.
- If you open suspicious files, be ready to wipe your machine clean—and quickly. Regularly make full backups so you can restore your machine to an earlier state and have your sensitive, must-have files in an encrypted cloud backup or an encrypted external hard drive, so if you need to wipe your machine, you can do it quickly. Every 6 months, run an internal scenario drill where you or one of your team members has a compromised machine, and you need to lock it and/or wipe it clean.
- Use password managers to manage your logins, and separate your personal password manager from your work password manager.
- Be careful about using public wifi networks, and always use a VPN. With VPNs, you can modify the settings, such that if your VPN goes down, you don’t just automatically revert back to using regular wifi, whether your personal wifi or airport/coffee shop wifi. Consider running your own VPN using open source software on a private cloud server.
- If you’re running a project with a large amount of funds locked up in smart contracts, you must have separate work equipment firewalled from your personal equipment. Have a separate work phone and work computer and watch out for contamination between work and personal devices
- Check in with your team several times a year to make sure that everyone is following basic security practices laid out in this guide.
- Take this quiz from Google to see if you can spot phishing attempts.
A hacker who reported a bug via Immunefi failed to provide sufficient information in his submission and refused to provide more to the project upon request. Several days later, this hacker and a couple of his associates approached one of the project maintainers directly via Telegram and started threatening and attempting to extort him. The hacker also sent the project maintainer a PDF file, which the maintainer did not open. The maintainer engaged with the hacker for a bit, trying to reach a resolution, but then smartly reached out to Immunefi for help and shared screenshots and appropriate Telegram IDs. We investigated the situation, provided advice and recommendations for next steps, and permanently banned the blackhat from our platform.