Amulet 2024 Security Transparency Report
In July 2023, the Interchain Foundation (ICF) embarked on a strategic partnership with Amulet to enhance the security and resilience of the Interchain Stack and the diverse ecosystem of projects building with it. As stewards of this growing ecosystem, robust security is fundamental to fostering innovation, adoption, and trust. Together with Amulet, the ICF has made significant strides in building a more efficient, and effective security coordination and response program that benefits the entire community.
Today, you can read Amulet’s first annual transparency report highlighting the progress and efforts conducted since 2023. You can find the link to the full report below, in the article.
Addressing Challenges with Renewed Focus
One of Amulet’s goals is to coordinate security information and patches efficiently across the interchain during security incidents. As a vast, decentralized ecosystem of over 115 chains and their communities, this presents significant challenges. Amulet’s expertise in emergency coordination has ensured these necessary actions have been coordinated efficiently across the entire interchain, bringing tangible results in a short timeframe.
Revamping the Cosmos Bug Bounty Program
The primary goals of a bug bounty program are to incentivize the disclosure of security vulnerabilities, reduce harm, and strengthen the security of an ecosystem. The Cosmos Bug Bounty Program needed a fresh approach to address a backlog of unresolved reports and inconsistent communication practices, such as a lack of uniform security reporting and safe-harbor reporting baselines.
Within the first 30 days of program administration, Amulet completely overhauled the Cosmos Bug Bounty Program, resolving over 45 open issues, implementing a new policy framework, and improving the overall experience for security researchers. Beyond fixing what was broken, by addressing challenges with renewed focus, Amulet was able to build a stronger foundation for security and create an environment where researchers feel valued and critical issues are addressed swiftly, per cutting-edge vulnerability coordination international standards.
Expanding Scope and Elevating Rewards
With key gaps and backlogs addressed, Amulet identified the need to broaden the scope of the Bug Bounty Program to create a safer interchain for all stakeholders and act as a force multiplier for security in the interchain ecosystem. Beyond automated testing and vulnerability assessments, this involved elevating rewards to attract a diverse set of hackers with varying skills, providing alternate perspectives about the code, and enabling stewards and chain developers to rapidly patch and coordinate patching of critical and high-severity issues before they are exploited in the wild.
A More Efficient, Inclusive Bug Bounty Program
The expanded Bug Bounty Program covers all crucial components of the Interchain Stack, including Packet Forward Middleware, CosmWasm, Horcrux, Hermes, and IBC-go Relayer. Amulet doubled the rewards for valid reports — up to $50,000 for critical bugs — to attract some of the best minds in the field.
Since August 2023, over $540,450 has been paid out to researchers, including the program’s first six-figure payout. The results speak for themselves, providing a 10x increase in bug report submissions, faster response times, and an influx of high-quality reports that help raise the bar for Interchain Stack security.
Building a Culture of Collaboration
Collaboration is crucial in open-source development as it brings diverse perspectives, accelerates development, and enhances transparency and security. To signal Amulet’s commitment to collaborating with security researchers who may be new to blockchain protocols and the interchain ecosystem and build a culture of collaboration, Amulet chose to adopt the Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy from disclose.io. This open-source policy is also included in corresponding security.md files that outline vulnerability disclosure for components of the Interchain Stack.
Security Coordination in the Interchain
With so many teams and stakeholders, security in the interchain world is complex and requires a pragmatic approach that balances flexibility with structure. By working closely with Interchain Stack stewards, Amulet has implemented a standardized security coordination process, ensuring the development teams have the tools and support they need to respond quickly.
The new /security repository and security advisory distribution list ensure that everyone in the ecosystem can access the latest information and updates, fostering a stronger sense of community among developers and validators alike. Amulet is proud to share that between August 2023 and September 2024, there were zero incidents of exploitation during their security coordination efforts — a testament to the strength of the new processes.
Amulet 2024 Security Transparency Report
For detailed program milestones and performance metrics, download and read the full Amulet Security Transparency Report.
In this report, you can see the total reports triaged per component of the Interchain Stack and the total bounties awarded. The Amulet Transparency Report is more than just an update, it’s a deep dive into the steps taken to enhance security across the interchain, providing a comprehensive look at Amulet’s journey, including the challenges faced and the milestones achieved.
You’ll find detailed information about how Amulet addressed a backlog of issues and improved response times, the impact of the expanded Bug Bounty Program and the rewards that drive innovation, and key metrics that illustrate the progress and the benefits to the community. If you’re interested in learning more about building a secure and resilient interchain and want to see the efforts involved, read the full report, and if you want to participate in the Bug Bounty Program and get rewarded for strengthening our foundation, be sure to visit the security repository for further information.
The Interchain Foundation is dedicated to building a secure and trustworthy ecosystem. Our relationship with Amulet has been a crucial step in this journey, ensuring that every participant in the interchain benefits from a safer, more resilient network. We look forward to continuing this work with Amulet as the Trust and Security Steward for the Interchain Foundation.
