Security Alliance proposes Whitehat Safe Harbor to secure Web3

The Safe Harbor initiative is a pre-emptive security measure for blockchain protocols, similar to a bug bounty. It is a framework specifically for active exploits, i.e. situations where a vulnerability has begun to be exploited by a malicious actor. If a protocol has adopted the Whitehat Safe Harbor Agreement before such an incident occurs, whitehats, ethical security hackers, will have clarity on how to act in a potential rescue, and will be more likely to help intervene to rescue at-risk crypto assets.

A blockchain protocol can adopt the Whitehat Safe Habor Agreement through a governance vote of tokenholders or alternative decision making process. The protocol would need to first identify:

• Which assets are in-scope for the agreement (e.g. any ERC20 token at a specific address)?
• What reward will be given to successful whitehat rescues (e.g. 10% of rescued funds capped at USD$1m)?
• Where should rescued funds be returned (e.g. a specific multisig or treasury address)?

If adopted, the Whitehat Safe Harbor Agreement forms part of the website’s terms of service to enable users of the protocol to pre-emptively agree to whitehat rescues in the event of an exploit. This agreement is intended to incentivise whitehat hackers to rescue funds by offering agreed rewards and pre-emptive legal releases from the protocol and its users, and reducing the risk of criminal prosecution. The whitehat must comply with the procedures in the agreement and return funds to a designated asset recovery address in order to benefit from the protections under the safe harbor.

The Security Alliance (SEAL) has opened a request for comment on the Whitehat Safe Harbor Agreement  which runs until 14 March 2024. The proposal is the result of more than 18 months of work by a group of leading blockchain lawyers and security experts.

Piper Alderman was pleased to collaborate on the Whitehat Safe Harbor Agreement alongside SEAL and leading blockchain and cyber security lawyers, including Gabriel Shapiro, the Lexpunk coalition, Debevoise & Plimpton LPP, and the policy teams at Paradigm and A16Z Crypto, among many others.