A bunch of people write crypto software, and want to find out/demonstrate how secure it is. They do so by setting up a system that will transfer ~$2k worth of bitcoins to the first guy who breaks it.
If you take as axiomatic that all security measures can be broken, then you can measure those security measures by the cost of breaking it.
You could measure the amount of time it takes for someone to break this security and grab the cash, but that only provides you with one datum. To really show how secure it is, you would also need to provide a $1000 prize, a $500 prize, a $250 prize, a $125 prize, and so on, all with equally strong security.
Then you start the clock. After the first prize is won, you put out the second prize and start the clock again.
Even if the winners don't share their methods, you can determine how long it took to claim the biggest prize, and compare with the length of time it takes for subsequent lesser prizes. A reduction in the interval spells trouble for your security method, because the attackers found an easier way to get in.
You can then determine the general level of effort required, when people finally stop taking the otherwise free money. If the $125 prize is claimed, and the $62.50 prize is not, you can assume that it costs between $62.50 and $125, plus a certain amount of time, to break your security.
As long as whatever you put behind that security is worth less than that amount of time and money, it will probably be safe from random attackers. Unlike an in-home safe or a bank vault, you can't take calipers and measure the thickness of the walls, to calculate how long it would take to cut through.
This contest doesn't prove anything, but it does suggest a guideline. If no one takes the $2000, then as long as the expected value of a random attack on you is not higher than that, you can feel safe using it. The problem is that it doesn't take much to rise above that amount. Late model car? Nice house? Taking an actual vacation? You're worth at least a spear-phishing attempt.
I appreciate what you're saying but even then, the data you infer this way (apart from the breach itself) is highly suspect. I don't think you really get a view for how much it costs to break and time is a poor proxy.
It tests your defense against random attackers, in the same way that a fence keeps random people off your lawn.
But it doesn't tell you anything about dedicated attackers, and those are the guys you really need to worry about. Anyone who really wants in can climb over the fence, or cut through it, or drive a tank over it.
I'm not a fan of this type of bounty myself, but it might seem like a good idea if you have enough money for a contest prize but not anywhere near what would be needed for a professional audit. Even so, if your bounty is claimed, you still might want to know how much of the work for that first attack is reusable for all subsequent attacks, and that requires a second prize.
Exactly, so if there is a breach, then we've learned about something we need to secure better (win). If there's no breach — and provided people did try to break in — then we're only incrementally more confident in the stack (kind of a cautious win).
A bunch of people write crypto software, and want to find out/demonstrate how secure it is. They do so by setting up a system that will transfer ~$2k worth of bitcoins to the first guy who breaks it.