In a bid to up the stake on its commitment to blue-ribbon security reviews, Hexens is launching a $10,000 white-hat appreciation award for the responsible disclosure of critical vulnerabilities discovered in bug bounty programs with assets in the same scope as those formerly audited by Hexens.
On Jan. 5, Hexens CEO Sipan Vardanyan tweeted, “Code audited by Hexens never have been hacked. 0 incidents. Zero.”
Despite its provocative nature, Sipan’s statement was not meant to imply that code audited by Hexens is immune to hacks. Instead, it was designed as the first in a series of tweets attesting to Hexens’s holistic approach to securing its clients’ projects, and to its promotion of a culture of sustained subscription to security services, as evidenced by Sipan’s subsequent posts.
Hexens went on to invite security experts in the space to find a critical vulnerability in any scope audited by the company for a chance at a $10,000 reward on top of the bug bounty paid out by the project.
By the end of the day, two security researchers came forward claiming to have discovered a critical vulnerability.
Upon careful inspection, Hexens’ team determined that the first bug did not meet the severity criteria established by the company. Furthermore, the protocol featuring the supposed flaw had been subsequently deactivated and the bug bounty delisted from the relevant platform.
The second “critical” vulnerability was uncovered in a protocol vetted in the context of a private audit conducted last year, not a bug bounty, deviating from Hexens’ terms of competition. More importantly, none of the bugs reported were of a critical nature, only high.
Despite both reports failing to meet Hexens’ criteria for the award, the company disbursed a payment of $5,000 to the hunters in the form of a “white-hat appreciation award” in recognition of their responsible disclosure of the bugs.
0x52, one of the hunters to catch a bug, later tweeted, “The team has been awesome and I have nothing but respect for them. Although the finding was out of scope I appreciate their award and wish them all the best!”
The contest is still ongoing.
Hexens’ introduction of the concept of a white-hat appreciation award represents a tectonic shift in the way of client accountability and the promotion of ethical hunting.
By putting a price on the quality of their work, auditing firms are prompted - in an industry first - to have “skin in the game” by taking responsibility for their potential shortcomings and to constantly strive for excellence in a field plagued by post-audit exploits and customer trust issues.
Hexens’ white-hat appreciation award is designed to further trust among its clients by inviting the best in the space to probe its reports, while pushing the company’s expert team higher up the learning curve through exposure to edge cases.
The award is in equal measure a symbol of Hexens’ forever commitment to empowering ethical hunters by rewarding them for the time and effort dedicated towards shielding protocols and building a more secure and robust Web3 environment.
Acting in the spirit of innovation and disruption to better safeguard Web3, Hexens invites other players in the market to join the movement and to promote ethical behavior in the space.
A day after the announcement of the white-hat appreciation award, Hexens CEO Sipan Vardanyan wrote: “I acknowledge only the white of ethical pursuit or the void of malpractice.”
Dedicated to building a reputation among its clients and the wider community of security engineers, Hexens is making white-hat appreciation awards a permanent staple of its auditing process.
To set the record straight and avoid further confusion, all bug reports must be aligned with the following rules to be eligible for a white-hat appreciation award.
Important notice: Hexens reserves the right to a final say on the severity of a bug. Should a bug fail to meet Hexens’ critical severity criteria, the company shall provide a report to the hunter to support its decision without compromising the hunter’s position with the project.
The white-hat appreciation award shall be paid to the security researcher, not the project.
To further promote a culture of responsible disclosure in Web3, Hexens stands ready to advocate your case with our clients should you find a critical bug that meets the above criteria without there being a bug bounty in place.
To report a critical bug and try your hand at claiming your appreciation award, drop us a message at hexens.io or on X at @hexensio.
Hexens is preparing to shake up the space with a powerful new tool that boasts unmatched capabilities and promises to empower the community like never before.
Called Remedy, it’s designed as a Web3 security platform for white-hats, ecosystems, DeFi and other various blockchain applications.
Currently applicable to all bug bounties across the space, Hexens plans to migrate its white-hat appreciation award to its native bug bounty platform on Remedy once it goes live.
Apply for a closed beta at https://r.xyz/ and join the global effort to remediate Web3 with the ultimate security tool in the space.