The Case for a ‘Vulnerability Management Token’: A new way to reward vulnerability remediation

November 2022 has not been a boring month indeed!

One of the most prominent and powerful cryptocurrency exchange – FTX – announced that it was filing for chapter 11 bankruptcy and at the same time was announcing an investigation on “unauthorized transactions” flowing from its accounts, in the form of $515 million suspicious transfers that might have been the result of a hack or theft. Subsequently, the cryptocurrency transfers were traced as the perpetrator tried to move the huge amount of cryptocurrency from system to system to try to cash them out. Eventually, the then FTX CEO – Sam Bankman-Fried – had to resign and was replaced by a new CEO that would overlook the bankruptcy liquidation process.

Why am I telling you this story? I am sure you already heard it a thousand times in the news this month. Because it highlights a unique interrelationship between cyber security, the fintech world and the importance of trust among centralized institutions and investors / consumers.

I am not aware of the details surrounding this hack but I am sure either the attacker was an insider that got hold or knew some wallet private keys, some other sort of keys to the kingdom or it was somebody who took advantage of security vulnerabilities or misconfigurations to plant malware to take a hold of sensitive system passwords.

To me, every single security breach does not start in the vacuum, but it originates with some sort of unpatched vulnerability, system misconfiguration (open network folder or share), or a vulnerable system which can be implanted with some sort of malware to sniff and siphon off passwords and private keys.

All this could be prevented with practicing good cyber hygiene involving routine patching and automated configuration and change management.

But how to make this happen? How can you motivate organizations to promptly patch as if they could gain some sort of economic value or rewards out of it?

This very intersection between security and cryptocurrency that caused this multi-million dollar breach, also inspired me to think about a reward, a currency, to motivate organizations to patch and remediate security vulnerabilities.

What if we could think of a system, a currency, a cryptocurrency that could represent a value to be exchanged, accumulated and transacted for the purpose of motivating organizations to fix security vulnerabilities and then maybe pay for security audits and penetration tests?

Please meet the “Vulnerability Management Token”.

This is actually not a novel idea. There is currently a security vendor called “Quantstamp” – https://quantstamp.com/about – (BTW NopSec is neither affiliated nor endorsing the service of this company) which is in the space of “securing Web3 economy”. Their mission is “to facilitate the mainstream adoption of blockchain technology through our security and risk assessment services. Quantstamp services include securing Layer 1 blockchains such as Ethereum 2.0 and Solana, securing smart contract powered NFT and DeFi applications such as Maker and OpenSea, and developing financial primitives for Layer 1 blockchain ecosystems.”

The company also issues a cryptocurrency token – the Quantstamp token, QSP – https://coinmarketcap.com/currencies/quantstamp/ – which is an ERC-20 token used for verifying smart contracts on the decentralized QSP Security Protocol. ERC-20 tokens are digital assets designed, issued, and used just like Bitcoins, except they run solely on the Ethereum blockchain. These tokens mainly rely on a specific smart contract that keeps track of that token’s transactions. For a great overview of the ERC-20 token concept refer to this site: https://www.bitcoin.com/get-started/what-are-erc-20-tokens . Users can buy automated scans of smart contracts with QSP, and validators can earn QSP for helping provide decentralized security scans on the network at protocol.quantstamp.com. QSP is an Ethereum token that powers Quantstamp, a security auditing network for crypto protocol. QSP tokens can be used to pay for smart contracts audits, earned by running verification nodes, and for proposing and voting on network upgrades.

The idea for a “vulnerability management token” is similar. The vulnerability management token is earned or distributed according to the number of remediated and verified closed vulnerabilities. The token is an open source protocol and represents a standard that could be adopted by all companies involved in the vulnerability management and security space.

The purpose of the token is to pay in exchange for the performance of security audits – such as pen tests or red teaming engagements –  or other security services or maybe to pay for smart contract audits.

This way, organizations could push harder in remediating security vulnerabilities in their systems to protect their environments from hacks. As a byproduct of this process, they could earn VRM tokens which could be traded or spent for paying for penetration testing and security services.

Problem solved. Remediation motivation comes from the economic interest of accumulating value for the use of auditing the organization’s system for security. This is a win-win!