A popular dark net marketplace hawking drugs and stolen credit cards has opened a security bug bounty offering to pay hackers for reporting vulnerabilities.
The "Hansa" marketplace announced the bounty last week inviting security researchers to disclose vulnerabilities worth up to 10 bitcoins (US$10,170) for bugs that could lead to users, vendors, or administrators.
The payouts are likely measly compared to the cash rewards on offer to hackers taking more conventional routes and exploiting vulnerabilities with blackmail or other evil acts.
Fallen Silk Road boss Ross Ulbricht was forced to pay US$50,000 a week to hackers who learnt how to launch distributed denial of service attacks against the site. He's also alleged to have paid cash to quiet hackers threatening to reveal his identity.
On Hansa, vulnerabilities that cannot be used to reveal the identities or locations of users, vendors, and administrators attract a one bitcoin ($US1020) payment. Less-intrusive bugs and glitches earn just 0.5 BTC.
Site administrators promise to follow bug bounty best practice and maintain regular contact with vulnerability reporters.
Hackers who drop the bugs before patches are applied, or exploit and impact the market or its users, will have their payouts withheld. Hackers who offer proper proof-of-concepts will earn themselves a higher payout.
Darknet drug sites can hardly call the Police and complain when hacked, so must maintain a high level of security to fend off hackers and blackmailers.
The most popular drug and carder marketplace, AlphaBay, last month fixed a highly critical private key leak vulnerability partially disclosed on Reddit. That flaw allowed its finder to grab 218,000 private messages, the names of buyers and sellers, street addresses, and package tracking identity numbers. ®