Darknet follows Google's bug bounty lead: But this cash is for flaws that expose shady traders

Now it's a darknet marketplace that hopes a bug bounty scheme can improve security for its clientele.
Written by Liam Tung, Contributing Writer

Hansa is a darknet arena where anonymity is prized and exposure can lead to jail time.

Image: Getty Images/iStockphoto

To keep its customers out of trouble, Hansa, a popular darknet marketplace for selling illicit goods, is following legitimate businesses by paying researchers for reporting security flaws.

It is one of many darknet marketplaces seeking to meet demand for anonymous trading once offered by fallen drugs bazaar Silk Road. With its buyers and sellers likely to be of interest to law-enforcement agencies as well as hackers, Hansa announced on Reddit last week that it had launched a bitcoin bug bounty to keep clients safe.

Bug bounties are gaining in popularity in the world of legitimate business as a means of improving product security.

Google has operated its bug bounties for six years, and more conventional organizations, including some automakers, airlines, and the US Department of Defense, are now using them to attract bug reports, often through bounty programs run by Bugcrowd and HackerOne.

For Hansa, being an arena where anonymity is prized and exposure can lead to jail time, the highest value rewards are for bugs that could result in users being identified.

Hansa's operators say they will offer 10BTC for any bugs that could "severely disrupt" Hansa's integrity in a way that would expose the IP address, or personal information of a user or seller. After last month's spike in the value of bitcoin, this sum is greater than $10,000.

Less critical bugs are valued at 1BTC each, while simple "display bugs or unintended behavior" will earn researchers 0.05BTC.

CyberScoop, which first reported the new bug bounty, notes that Hansa is responsible for about $3m in trade. The hidden website launched the bounty following reports of a bug on AlphaBay, another post-Silk Road marketplace, that exposed private messages containing user names and delivery addresses. According to CyberScoop, Hansa has already received reports of non-critical bugs.

Despite Hansa's intention to improve its own measures, security and privacy researcher Sarah Jamie Lewis told CyberScoop that the bounty is unlikely to achieve much for darknet markets.

"The problems pervading onions [the nickname for websites accessed on the Tor network] are caused by bad assumptions at the software design level, the reliance on web technologies designed for an internet without consideration for privacy," Lewis said.

"Bug bounties are only a patch. What we really need are new privacy-oriented software stacks, servers, blog platforms."

Read more about the darknet

Editorial standards