Eliminating Triage Intermediaries for Zero-day Exploits Using a Decentralised Payout Protocol

Presentation of the True SEC protocol for cybersecurity, which allows for collective staking and quantifiable demonstration of security against zero-day exploits.

• True SEC is a cybersecurity variant of the True Call protocol, which allows for programming bounties without intermediaries.
• Zero-day exploits translate well to smart contracts and intermediaries exist in bug bounty and programming bounty spaces.
• Collective staking leads to collective security and quantifiable demonstration of security against zero-day exploits.
• The protocol involves companies staking security bounties into a smart contract, which controls a decentralized virtual machine containing a software stack and a secret vulnerability.
• Ethical hackers scan the blockchain for vulnerabilities and can earn payouts for identifying and reporting them.
• The protocol allows for iterative patching and redeployment of software stacks.
• Future plans include seeking input from the cybersecurity community, attracting expertise on decentralized virtual machines, selecting platforms on which to build the protocol, raising funds, and undergoing a security audit.
• Acknowledgments are given to those who provided guidance and advice during the early stages of protocol development.

The True SEC protocol was developed by a student team who wanted to set programming bounties without intermediaries. They found that zero-day exploits translate well to smart contracts and intermediaries exist in bug bounty and programming bounty spaces. The protocol involves companies staking security bounties into a smart contract, which controls a decentralized virtual machine containing a software stack and a secret vulnerability. Ethical hackers scan the blockchain for vulnerabilities and can earn payouts for identifying and reporting them. The protocol allows for iterative patching and redeployment of software stacks.

We present a protocol that collectivises security bounties for deterministically verifiable zero-day exploits. It enables companies to show customers how secure their software is, in terms of dollars staked on their open-source software stack. It also helps ethical hackers retrieve their bounties without ambiguity. Subjectivity and manual labour of triage-processes are eliminated for these exploits. The protocol enables companies and users (stakeholders) to pool bounties on open-source security stacks in decentralised virtual machines (DVMs) containing read and/or write secrets. Stakeholders specify minimum responsible disclosure durations and a public key. Next, ethical hackers can submit an attack to such DVMs, by storing it in a decentralised encrypted locker (DEL), and notifying the DVM of its presence. Once the stakeholders see this notification, (along with the rest of the world), they can use their private key to retrieve the attack from the DEL (before the rest of the world). For each bounty placed on the DVM, a call is made to the DEL just before the end of the accompanying responsible disclosure time. This call verifies that the attack is still encrypted. After the respective responsible disclosure periods have passed, the DEL is decrypted and the attack is executed. Successful attacks compromise the DVM read/write secret, triggering bounty hunter payout. This protocol enables ethical hackers to know, before starting work on their exploit, when they will retrieve a payout and how large that payout will be for publishing their exploits, in a winner-take-all market. At the same time, it allows small companies to stake money on open-source security alongside industry giants. This provides a transparent insight on economically rational hackers in the open-source software zero-day exploits segment of the cyber-security market. The accompanying whitepaper presents more details: https://github.com/trusec