In a bid to up the stake on its commitment to blue-ribbon security reviews, Hexens is launching a $10,000 white-hat appreciation award for the responsible disclosure of critical vulnerabilities discovered in bug bounty programs with assets in the same scope as those formerly audited by Hexens.

The Backstory

On Jan. 5, Hexens CEO Sipan Vardanyan tweeted, “Code audited by Hexens never have been hacked. 0 incidents. Zero.”

Despite its provocative nature, Sipan’s statement was not meant to imply that code audited by Hexens is immune to hacks. Instead, it was designed as the first in a series of tweets attesting to Hexens’s holistic approach to securing its clients’ projects, and to its promotion of a culture of sustained subscription to security services, as evidenced by Sipan’s subsequent posts.

Hexens went on to invite security experts in the space to find a critical vulnerability in any scope audited by the company for a chance at a $10,000 reward on top of the bug bounty paid out by the project.

By the end of the day, two security researchers came forward claiming to have discovered a critical vulnerability.

Upon careful inspection, Hexens’ team determined that the first bug did not meet the severity criteria established by the company. Furthermore, the protocol featuring the supposed flaw had been subsequently deactivated and the bug bounty delisted from the relevant platform.

The second “critical” vulnerability was uncovered in a protocol vetted in the context of a private audit conducted last year, not a bug bounty, deviating from Hexens’ terms of competition. More importantly, none of the bugs reported were of a critical nature, only high.

Despite both reports failing to meet Hexens’ criteria for the award, the company disbursed a payment of $5,000 to the hunters in the form of a “white-hat appreciation award” in recognition of their responsible disclosure of the bugs.

0x52, one of the hunters to catch a bug, later tweeted, “The team has been awesome and I have nothing but respect for them. Although the finding was out of scope I appreciate their award and wish them all the best!”

The contest is still ongoing.

A Forever Commitment to Clients and Ethical Hackers

Hexens’ introduction of the concept of a white-hat appreciation award represents a tectonic shift in the way of client accountability and the promotion of ethical hunting.

By putting a price on the quality of their work, auditing firms are prompted - in an industry first - to have “skin in the game” by taking responsibility for their potential shortcomings and to constantly strive for excellence in a field plagued by post-audit exploits and customer trust issues.

Hexens’ white-hat appreciation award is designed to further trust among its clients by inviting the best in the space to probe its reports, while pushing the company’s expert team higher up the learning curve through exposure to edge cases.

The award is in equal measure a symbol of Hexens’ forever commitment to empowering ethical hunters by rewarding them for the time and effort dedicated towards shielding protocols and building a more secure and robust Web3 environment.

Acting in the spirit of innovation and disruption to better safeguard Web3, Hexens invites other players in the market to join the movement and to promote ethical behavior in the space.

A day after the announcement of the white-hat appreciation award, Hexens CEO Sipan Vardanyan wrote: “I acknowledge only the white of ethical pursuit or the void of malpractice.”

Dedicated to building a reputation among its clients and the wider community of security engineers, Hexens is making white-hat appreciation awards a permanent staple of its auditing process.

Setting Criteria for the White-Hat Appreciation Award

To set the record straight and avoid further confusion, all bug reports must be aligned with the following rules to be eligible for a white-hat appreciation award.

1. The critical vulnerability, defined as a vulnerability conducive to a major loss or permanent freeze of funds, must be identified in the same scope as the Hexens audit.
2. The scope must be listed as a bug bounty program on a bug bounty platform or the project domain.
3. The report must be confirmed to be valid by the project and cannot be a duplicate of a former report.
4. The bug bounty report must be submitted on January 1, 2024 or later.
5. Hexens must receive a copy of the report and the proof of concept (PoC).
6. Hexens must recognize the bug as critical.
7. The security researcher must agree to submit to a Know Your Customer (KYC) check.
8. The project must be active at the time of submission of the report. For the avoidance of doubt, a project is defined as active when its main functionality is operational and no official statements announcing a freeze on its activities have been issued.
9. The total value locked (TVL) of the project’s assets must equal or exceed $20,000.
10. The project payout for the bug bounty must be no less than $20,000.

Important notice: Hexens reserves the right to a final say on the severity of a bug. Should a bug fail to meet Hexens’ critical severity criteria, the company shall provide a report to the hunter to support its decision without compromising the hunter’s position with the project.

The white-hat appreciation award shall be paid to the security researcher, not the project.

To further promote a culture of responsible disclosure in Web3, Hexens stands ready to advocate your case with our clients should you find a critical bug that meets the above criteria without there being a bug bounty in place.

To report a critical bug and try your hand at claiming your appreciation award, drop us a message at hexens.io or on X at @hexensio.

Remedy by Hexens

Hexens is preparing to shake up the space with a powerful new tool that boasts unmatched capabilities and promises to empower the community like never before.

Called Remedy, it’s designed as a Web3 security platform for white-hats, ecosystems, DeFi and other various blockchain applications.

Currently applicable to all bug bounties across the space, Hexens plans to migrate its white-hat appreciation award to its native bug bounty platform on Remedy once it goes live.

Apply for a closed beta at https://r.xyz/ and join the global effort to remediate Web3 with the ultimate security tool in the space.