TruSec

A cyber-security variant of the TruCol protocol

The TruSec protocol allows companies to hedge against hacks such as ransomware attacks and data leaks. It has been presented at Black Hat USA 2022 in Las Vegas, along with our whitepaper. Watch our talk below:

Example

Suppose you want to hedge your company against ransomware attacks that use zero-day exploits. These days ransomware insurances are hard to come by, so instead, you can insentivise the hackers to take the white-hat route, using collective staking:

  1. Push your open source software stack into a decentralised virtual machine (DVM).
  2. Set a responsible disclosure time.
  3. Set the bounty for the vulnerability types you find important (E.g. hacker with read-access earns 10K, write-access earns 100K).
  4. Specify how long the stake remains retrievable
  5. Put a stake on it being secure. Now you can show your customers how secure your software is against zero-day exploits, and hackers can hack your software stake whilst getting an immediate payout if they succeed.

So what happens if your stack is compromised? You get a peak at the locked exploit, and you can patch your software within the responsible disclosure time. Afterward the responsible disclosure time is over, the exploit vault opens up, the exploit is verified, and the hacker gets payed out, if the hack was valid. Now the cycle starts over, you can push your patched software stack again to the DVM, and put a new stake on it.

Concept of TruSec

Why

The TruSec protocol eliminates triage intermediaries for deterministically verifiable bug bounties. That facilitates higher bounties. Furthermore, hackers know exactly how much they will earn, without ambiguity. Additionally, companies can show their users and stakeholders how secure their software is against deterministically verifiable zero-day exploits, in terms of dollars. We hope this allows decision makers to improve their defense resource allocations based on the new market insights generated by the TruSec protocol.

Funding

We are actively looking for funding. Contact us if you are willing to discuss the realisation of a practical implementation of the protocol. Furthermore our team could benefit from domain knowledge on the decentralised virtual machine development and or containerised solutions in order to establish a minimum viable product.