Bitfi research receives Pwnie Award for ‘lamest vendor response’

The Pwnie Awards is an annual celebration of the achievements of security researchers and the security community. It’s also an opportunity to roast vendors for lame responses to security concerns.

The ceremony took place last night, August 8th, 2018 in Las Vegas at the BlackHat USA security conference.

The awards are some rather lovely Pwnies. Any infosec researcher would be proud to receive one:

We were shocked and surprised to discover that the recent research in to the Bitfi crypto currency wallet that we have been spearheading managed to get Bitfi the “Lamest Vendor Response” award.

The research group is made up of many highly skilled security people from across the globe, led and coordinated by Andrew Tierney, aka @cybergibbons.

How not to respond to vulnerability disclosure

Before we cover the train wreck, we should highlight that Bitfi have changed their approach to interaction on social media. They now have a much more constructive approach.

Well done for addressing this Bitfi, hopefully the shape of things to come.

The train wreck

Let’s not dwell on the ‘unhackable’ claim that was the start of all this.

Making demonstrably false claims is never a good start though:

Changing tack:

But it all started to get very unpleasant. An affiliate marketeer for Bitfi started to say some openly hateful things about one of the group.

After a few hours and an application of sanity, Bitfi retracted and deleted reference to it:

In the meantime a veiled threat was also made:

After that, things got a bit crazy. We were genuinely surprised to see a significant number of infosec types on Twitter independently take real exception to this.

As far as we were aware, nothing untrue had been said by the group. We had demonstrated key recovery from memory of the Bitfi (which shouldn’t be possible!), and we didn’t claim to have achieved the strict $250K bounty requirement.

We sat back and watched as Twitter lit up, drawings significant amounts of attention to the behaviour of Bitfi.

A number of spoof accounts also popped up which were nothing to do with us.

Conclusion

Handling vulnerability disclosure is always sensitive, but how one interacts with the community can make a huge difference

Don’t make claims that are demonstrably false or impossible to substantiate. Everyone likes a challenge, particularly infosec researchers

If your claims are questioned, engage constructively, try to avoid confrontation. Don’t persist or the coverage will build, and the Streisand effect takes over.

It’s never too late to change direction. Reputation can be salvaged, damage can be limited.

We’re looking forward to a much more constructive interaction with Bitfi going forward.