Dark net black markets are turning to bug bounty programs

They're hoping putting bounties on bugs could help solve their security issues.

Morris MacMatzen/Getty Images

Dark net black markets are taking a leaf out of many legit companies' book and turning to bounty hunters to find security flaws in their systems. Hansa Market is one of them. According to CyberScoop, the marketplace, which brought in $3 million last year, has launched a bug bounty program offering rewards worth up to 10 BTC or around $10,000. Considering marketplaces like Hansa sell drugs, illegal firearms, log-ins and other data, the websites likely want to amp up their security measures to protect their sellers from law enforcement. They also likely want to protect all the log-in/password dumps and other data for sale from other hackers who might break into their system to steal them.

In fact, Hansa launched the program after a bug that infected AlphaBay, the biggest active online black marketplace, allowed outsiders to read private messages on the site. Hansa's spokesperson told CyberScoop that they've received reports about "numerous non-critical and simple bugs" since the program launched on January 30th. Those are worth 0.05 to 1BTC or around $500 to $1,000. The biggest bounty worth 10k is reserved for "vulnerabilities that could severely disrupt HANSA's integrity."

However, Sarah Jamie Lewis, a privacy researcher who worked on Dark Web security tool OnionScan, doesn't believe bug bounty programs could help dark net websites much. She says they need to go much deeper if they want to solve their security problems:

"The problems pervading onions [the nickname for websites accessed on the Tor network] are caused by bad assumptions at the software design level — the reliance on web technologies designed for an Internet without consideration for privacy. Bug bounties are only a patch, what we really need are new privacy-oriented software stacks, servers, blog platforms, etc."