Zero Day Vulnerability

in PRAETORIA11 hours ago

Zero Day Vulnerability

First, a couple of disclaimers.

  1. I am not a developer, before this incident that I am going to talk about, I didn't know about Zero Day Vulnerability
  2. I am a major stakeholder both and Hive and Splinterlands, and I deeply care about both ecosystem and I also recognize that they are inseparable
  3. I am good at research, these days with internet, most people can be

Therefore, if I don't know something, it is not hard to at least get some basic familiarity on the subject. I am obviously no expert on it, but there are other who are completely clueless about this and they do read this sometimes. Also this is my blog, so I treat it like my journal and this topic is on my mind right now, so I am going to write about it.

Vulnerability_timeline.png

Source

What is a Zero‑Day Vulnerability?

A zero‑day vulnerability is a security flaw in software, hardware, or firmware that is unknown to the vendor or developers and has no available patch at the time it is discovered or exploited.

  • The term “zero‑day” means developers have had zero days to fix the problem before it is used in an attack.
  • Because no fix exists yet, attackers can exploit it before defenders can prepare, making it especially dangerous.

Origin of the Term "Zero Day"

In early computing, “zero day” referred to the number of days since software was released. The term became popular in the 1990s piracy (warez) community. Pirated software was categorized by “age”:

  • 30‑day (released 30 days ago)
  • 100‑day (older software)
  • Zero‑day (brand new or pre-release)

The most valuable category was:

  • “Zero‑day” → software cracked and distributed immediately (or before official release)

The Defender's Dilemma

Lot of what I learned the topic is from the report titled The Defender's Dilemma, which I felt is a good resource. It talks about Cyber security in general. The report argues that cybersecurity is an ongoing economic and strategic “arms race” between attackers and defenders, where:

  • Costs are rising rapidly
  • Effectiveness is uncertain
  • Attackers may be gaining the advantage

image.png

The real goal is not perfect security, but:

minimize (security spending + expected losses from attacks)

Organizations:

  • Can measure what they spend
  • Cannot easily measure what attacks were prevented

This leads to inefficient or misaligned security investments. In other words, security is fundamentally an economic trade-off problem, not just a technical one.

There is the structural imbalance between attackers and defenders. Attackers operate with a clear advantage: they only need to find a single vulnerability, while defenders must secure every possible entry point. Moreover, attackers can reuse tools and techniques across multiple targets, scaling their efforts efficiently. Defenders, on the other hand, must operate under uncertainty, constantly reacting to new threats, including unknown vulnerabilities such as zero-days. This asymmetry creates a persistent “defender’s dilemma,” where even well-funded and highly capable organizations remain exposed to compromise.

Splinterlands

That brings us to Splinterlands. Recently, @louis88 published a post regarding a vulnerability. I have read the post when it was published but didn't know the details, and certainly didn't know the monetary aspect of it. Also, recently, there have been a major hack at hive-engine with significant loss of funds. Suddenly I am made aware, that we have been asked a bounty fee. So I had to do further research and find out more about it.

What is a “White Hat Bounty” for Zero‑Day Vulnerabilities?

A white hat bounty (commonly called a bug bounty) is a legitimate financial reward paid to ethical hackers (white hats) for discovering and responsibly disclosing vulnerabilities—including zero‑day vulnerabilities—to the software vendor or platform owner.

  • Key idea:

    • A zero‑day vulnerability = unknown, unpatched flaw
    • A white hat bounty = legal incentive to find and report it safely instead of exploiting or selling it illegally

How does it work?

  1. A security researcher discovers a vulnerability (potentially a zero‑day)

  2. They privately disclose it to the vendor (responsible disclosure)

  • The vendor:

    • Verifies the issue

    • Fixes it

    • Pays a bounty based on severity and impact

    • The vulnerability may later be published after patching

Here comes the money part

Louis here is asking for a payment. As a Splinterlands SPS DAO treasurer (I am one of the 13), it now comes to the DAO to sign a check for Louis. That is when I was made aware of this situation yesterday by the DAO Manager @clayboyn. We have a discretionary nominal amount <$5000, which we can pay without running a proposal. These are for "minor DAO expenditure" for "DAO related business". This is where I fall into a bind. How do I define the following:

  • How much money do we pay to Louis, meaning what is a fair price?
  • How exactly do we pay him as per procedure?

Am I comfortable in just signing a transaction sending a dollar amount to Louis's wallet? Or is it better for Louis to write a proposal as ask for the funds?

What do the community thinks?

#splinterlands #praetoria #hivegaming #ocd
11 hours ago in PRAETORIA by
$3.92
  • Pending payout amount: $3.92
  • Breakdown: 0.00 HBD, 32.63 HIVE, 32.63 HP
  • hive-169191: 5.00%
  • Payout in 6 days
176 votes
Reply 9
Sort:  
  • Trending
    • [-]
     7 hours ago  

    Thanks for your devotion to transparency, @azircon

    $0.64
    • Pending payout amount: $0.64
    • Breakdown: 0.00 HBD, 5.33 HIVE, 5.33 HP
    • Payout in 7 days
    2 votes
    Reply
    [-]
     6 hours ago  

    No problem Matt. I just don't want to get us into legal trouble. I just want to make sure if someone sues me I have my bases covered and if I want to sue someone I can grab that person by the balls :)

    [-]
     10 hours ago  

    Interesting... Anthropic Mythos was deemed too dangerous to release to public because it easily hacks every single system on the planet...

    So we can basically point AI now at a target and it will find you vulnerabilities...

    $0.25
    • Pending payout amount: $0.25
    • Breakdown: 0.00 HBD, 2.05 HIVE, 2.05 HP
    • Payout in 6 days
    1 vote
    Reply
    [-]
     10 hours ago  

    If I read his post; he indicated that he used AI tools to find the vulnerability.

    You are in the business and a professional: how much do you say a fair price for this?

    [-]
     9 hours ago  

    Yeah... I am not in the security field and I don't know what is a fair price for this. Obviously he did some work and probably in the range of 4 to 20 hours without seeing the report and being an expert on the white hat stuff.

    It sounds like he was insulted by $10 and CEO response. Given that DAO is not rich and we don't know how much time he spent a fair negotiation starting point would be $1,000 to $2,000

    $0.40
    • Pending payout amount: $0.40
    • Breakdown: 0.00 HBD, 3.32 HIVE, 3.32 HP
    • Payout in 6 days
    1 vote
    Reply
    [-]
     7 hours ago  

    That is a good ballpark number to start with. I respect your opinion because you work at Microsoft. Most of the people here don't have the proper context.

    [-]
     8 hours ago  

    Even if you had to write a proposal I would support it. It getting even easier for people to find these vulnerabilities using AI. It takes literally zero skill to find a flaw and create and deploy a payload or exploit.

    $0.21
    • Pending payout amount: $0.21
    • Breakdown: 0.00 HBD, 1.74 HIVE, 1.74 HP
    • Payout in 7 days
    1 vote
    Reply
    [-]
     11 hours ago  

    This post has been supported by @Splinterboost with a 30% upvote! Delagate HP to Splinterboost to Earn Daily HIVE rewards for supporting the @Splinterlands community!

    Delegate HP | Join Discord

    $0.00
      Reply