At Cobalt, we’re constantly thinking about how we can take application security to the next level. Today, we’re excited to launch Capture the Coin (#CTC), a contest that will allow us to experiment with a bitcoin bounties hidden within the Cobalt platform.
What is Capture the Coin?
Our Capture the Coin contest is a challenge similar to traditional Capture the Flag contests within the security community. Instead of capturing a flag, however, participants can capture bitcoin private keys hidden in parts of our web application that are inaccessible to regular users.
Anyone who finds a key can claim the bitcoin as a reward.
As part of our contest, we have created three bitcoin addresses and deposited rewards of 1.5 BTC, 1.0 BTC and 0.5 BTC respectively.
Nakamoto Reward, 1500 mBTC 1BreFzzWCYmfzHuUoKEMtwKxZMC8EwGX27 This reward is hidden in vulnerability #CC1_90, which was submitted against Cobalt’s own bug bounty program.
Dorian Reward, 1000 mBTC 1DBydAEMcDXz4n4W4dknuGqedBhrYc5MR3 This reward is hidden in the Capture the Coin reward program, which can be found under CTC_Business. If you manage to gain access to this private, invite-only reward program you will discover the bitcoin key here.
Scytale Reward, 500 mBTC 1KqJXTjkaBVY9Nkhbo7Qht2vkP7MpohZuf This reward is hidden in the address section of CTC_Tester. Address information is not visible to other users, but if you are able to find it, you can redeem 500 mBTC.
Experimenting with Bug Bounties
Because of its flexibility as a technology protocol, bitcoin enables us to experiment with monetary rewards in new ways like allowing us to build rewards directly into our website. To detect intrusion, we can set up automatic notifications when we see movements on specific bitcoin addresses, thereby building a monetary layered intrusion detection system.
For security researchers, a few of the advantages of hunting bitcoin private keys are that:
testers are rewarded immediately with minimal fees,
and testers do not have to wait for a third party to validate a bug report before claiming the reward.
If you are a security researcher who captures the coin, please let us know! We would love to recognize your efforts, and learn how you did it. If you participate in Capture the Coin and find any other vulnerabilities in the Cobalt platform, please submit those through our regular bug bounty program.
Go Capture the Coin!