After more than two months in beta testing with 50 security researchers and blockchain experts, the Libra Bug Bounty Program is now open to the public, the Libra Association announced today. The association is inviting security researchers around the world to uncover bugs and vulnerabilities in the open-source Libra Core code, which remains in an early stage version called testnet.
The conceit of Libra relies upon compromising the traditional decentralization benefits of blockchain technology in order to accelerate transaction speeds, with the goal of transacting Libra nearly instantaneously between digital wallets and within Facebook-owned Messenger and WhatsApp. This trade-off—a permissioned blockchain where only Libra Association members operate a limited number of nodes—heightens already paramount security concerns about a platform and products designed to serve as financial infrastructure for millions, pegged to a basket of real-world currencies.
Launched in partnership with big bounty platform HackerOne, the Libra Bug Bounty program will pay out up to $10,000 for uncovering critical flaws in the Libra blockchain code. Rewards payments scale up based on type and severity, and the Libra Association said it will offer bonus multipliers to “spotlight” bugs that “highlight certain areas of the blockchain to attract research attention.”
“Our rewards program is designed to encourage members of the security community to dig deep, helping us find even the most subtle bugs. We want to help our researchers uncover issues while the Libra Blockchain is still in testnet and no real money is in circulation,” said Michael Engle, the Libra Association’s Head of Developer Ecosystem.
Facebook’s bug bounty program dates back to 2011, and it’s expanded over the years to include new criteria such as developer data abuse in the wake of the Cambridge Analytica scandal. Aanchal Gupta, Security Director at Facebook-owned subsidiary Calibra (which is developing a Libra wallet app to be embedded directly in Facebook apps and services), said she hopes developers will bring a “diversity of perspectives and expertise to this initiative while holding the Libra Blockchain to the highest security standard.”
Calibra head David Marcus told Congress ad nauseum that Libra would not launch until all regulatory concerns are addressed and all approvals are received. So between regulatory pressure, reported second thoughts from Libra Association members, and the sheer scale of actually developing and launching the Libra Blockchain worldwide, we’re still a long way off from anything resembling a finished product. In the meantime, at least Libra is working out some of the bugs.