Vulnerability reporting is the practice of reporting security vulnerabilities in computer software or hardware. These vulnerabilities must be addressed by the vendors of this software or hardware before any malicious adversary could take advantage of them. Furthermore, the addressed vulnerabilities should be disclosed to the public or the customers promptly.
Current vulnerability reporting platforms have many shortcomings. Many of them are managed by private centralized entities. They do not provide the reporters with the assurance of fair rewards. Moreover, there is no incentive driving the vendors for timely public disclosure of the vulnerabilities and thus disclosures are often delayed. Furthermore, customers are often unaware of the potential vulnerabilities and risks to their assets. The complete lifecycle of vulnerability from discovery, reporting, resolving, patching, and disclosure involves multiple parties. Each party has different motivations and barriers. Furthermore, we have silos of solutions to address specific functions in the complete vulnerability lifecycle and these solutions do not work together reliably.
If the overall process of vulnerability reporting and its responsible disclosure would be more transparent, conscientious, and automated, it would give vendors a strong incentive to improve the security of their products. Additionally, identity privacy and a fair reward system would motivate more researchers to participate in vulnerability reporting. Our system aims to implement a Transparent, Privacy-focused, and Incentive-driven system for traditional vulnerability reporting and disclosure processes using blockchain technology.
