Responsible vulnerability disclosure in cryptocurrencies

Rainer Böhme; Lisa Eckey; Tyler Moore; Neha Narula; Tim Ruffing; Aviv Zohar

doi:https://doi.org/10.1145/3372115

Responsible vulnerability disclosure in cryptocurrencies

Rainer Böhme, Lisa Eckey, Tyler Moore, Neha Narula, Tim Ruffing, Aviv Zohar

The Rachel and Selim Benin School of Engineering and Computer Science

The Hebrew University of Jerusalem

Research output: Contribution to journal › Review article › peer-review

Abstract

Despite the focus on operating in adversarial environments, cryptocurrencies have suffered several security and privacy problems. In this article, researchers focus on the disclosure process itself, which presents unique challenges compared to other software projects. They examine some recent disclosures and discuss difficulties that have arisen. Cryptocurrency software is complex and vulnerabilities can be readily, and anonymously, monetized. Responsible vulnerability disclosure in cryptocurrencies is challenging as decentralized systems, by design, give no single party authority to push code updates. This review of case studies informs recommendations for preventing catastrophic cryptocurrency failures. Design decisions such as which protocol to implement or how to fix a vulnerability, must get support from most stakeholders to take effect.

Original language	English
Pages (from-to)	62-71
Number of pages	10
Journal	Communications of the ACM
Volume	63
Issue number	10
DOIs	https://doi.org/10.1145/3372115
State	Published - 23 Sep 2020

All Science Journal Classification (ASJC) codes

General Computer Science

Access to Document

https://doi.org/10.1145/3372115

Cite this

@article{6fbc7cd3254a4cafa90147fd70fb2c6f,

title = "Responsible vulnerability disclosure in cryptocurrencies",

abstract = "Despite the focus on operating in adversarial environments, cryptocurrencies have suffered several security and privacy problems. In this article, researchers focus on the disclosure process itself, which presents unique challenges compared to other software projects. They examine some recent disclosures and discuss difficulties that have arisen. Cryptocurrency software is complex and vulnerabilities can be readily, and anonymously, monetized. Responsible vulnerability disclosure in cryptocurrencies is challenging as decentralized systems, by design, give no single party authority to push code updates. This review of case studies informs recommendations for preventing catastrophic cryptocurrency failures. Design decisions such as which protocol to implement or how to fix a vulnerability, must get support from most stakeholders to take effect.",

author = "Rainer B{\"o}hme and Lisa Eckey and Tyler Moore and Neha Narula and Tim Ruffing and Aviv Zohar",

note = "Funding Information: This work is partially funded by: Ar chimedes Privatstiftung, Innsbruck, U.S. National Science Foundation Award No.~ 1714291, ISF grant 1504/17, HUJI Cyber Security Research Center Grant, DFG grants FA 1320/1-1 (Emmy Noether Program) and SFB 1119— 236615297 (Crossing), and BMBF grant 16KIS0902 (iBlockchain).",

year = "2020",

month = sep,

day = "23",

doi = "https://doi.org/10.1145/3372115",

language = "الإنجليزيّة",

volume = "63",

pages = "62--71",

journal = "Communications of the ACM",

issn = "0001-0782",

publisher = "Association for Computing Machinery (ACM)",

number = "10",

}

TY - JOUR

T1 - Responsible vulnerability disclosure in cryptocurrencies

AU - Böhme, Rainer

AU - Eckey, Lisa

AU - Moore, Tyler

AU - Narula, Neha

AU - Ruffing, Tim

AU - Zohar, Aviv

N1 - Funding Information: This work is partially funded by: Ar chimedes Privatstiftung, Innsbruck, U.S. National Science Foundation Award No.~ 1714291, ISF grant 1504/17, HUJI Cyber Security Research Center Grant, DFG grants FA 1320/1-1 (Emmy Noether Program) and SFB 1119— 236615297 (Crossing), and BMBF grant 16KIS0902 (iBlockchain).

PY - 2020/9/23

Y1 - 2020/9/23

N2 - Despite the focus on operating in adversarial environments, cryptocurrencies have suffered several security and privacy problems. In this article, researchers focus on the disclosure process itself, which presents unique challenges compared to other software projects. They examine some recent disclosures and discuss difficulties that have arisen. Cryptocurrency software is complex and vulnerabilities can be readily, and anonymously, monetized. Responsible vulnerability disclosure in cryptocurrencies is challenging as decentralized systems, by design, give no single party authority to push code updates. This review of case studies informs recommendations for preventing catastrophic cryptocurrency failures. Design decisions such as which protocol to implement or how to fix a vulnerability, must get support from most stakeholders to take effect.

AB - Despite the focus on operating in adversarial environments, cryptocurrencies have suffered several security and privacy problems. In this article, researchers focus on the disclosure process itself, which presents unique challenges compared to other software projects. They examine some recent disclosures and discuss difficulties that have arisen. Cryptocurrency software is complex and vulnerabilities can be readily, and anonymously, monetized. Responsible vulnerability disclosure in cryptocurrencies is challenging as decentralized systems, by design, give no single party authority to push code updates. This review of case studies informs recommendations for preventing catastrophic cryptocurrency failures. Design decisions such as which protocol to implement or how to fix a vulnerability, must get support from most stakeholders to take effect.

UR - http://www.scopus.com/inward/record.url?scp=85091988732&partnerID=8YFLogxK

U2 - https://doi.org/10.1145/3372115

DO - https://doi.org/10.1145/3372115

M3 - مقالة مرجعية

SN - 0001-0782

VL - 63

SP - 62

EP - 71

JO - Communications of the ACM

JF - Communications of the ACM

IS - 10

ER -

Responsible vulnerability disclosure in cryptocurrencies

Abstract

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this