Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - netdragonx

Pages: [1]
1
I really like the idea! It's better to deal with security head on, rather than letting it bite us in the rear!

I've got a couple ideas which I hope will warrant a tiny bounty.. hope the worker gets activated!  :D

I would welcome your submissions! It's definitely a feature we should have. It's only a financial exchange with a $436M market cap. :)

2
Good Initiative. I am wondering do you have plan to extent the bounty program to gateway build on top of Bitshares especially those who develop their own wallet?

+5% +5% +5%

It would be difficult to do that, as many of these gateways fork the existing code and don't pull every fix. However, they will be indirectly supported by the program as long as they pull in updates as they are released.

In that same line of thought, it might be in our best interest to add a line of communication with the gateways, so that they are aware of the importance of certain vulnerabilities, so they aren't left hanging.

3
You have full support from me personally and all partners/collaborations I can affect to give you vote. Although, I would be asking for some proper time-tracking soft/app for those Audit hours, before any complicated workers with chaotic structure of many layers of teams get our votes in the future.

Why? We have 4 contacts total, 2 for 2 teams, where 1 contact is on both teams, and 1 contact with no team on this proposal is Audit on one of the teams in another worker. That contacts are assigning audits to specific devs, and without proper time-tracking, those devs can be wronged or network can be charged for more hours than it was done.

The UI team works via github tasks with estimated complexity assigned to each task by the project lead. The primary contact (usually repository maintainer) could be the one that estimates each vulnerability report as they come in, and either assigns or asks for a volunteer from the pool of experienced repository developers. I think that'd be the easiest approach for tracking time for less complex issues.

For serious or complex issues, time tracking could be useful, though, as the hacker may not know how to fix the issue, and an experienced team member might need to spend time figuring out how to resolve an issue that doesn't break the user experience.

4
Hey everybody!

A couple months ago, while working with the UI/app team in my spare time, I realized that we don't have a formalized method for reporting serious vulnerabilities.

If a security researcher/hacker found a critical bug in the DEX, they might be tempted to exploit the bug, and attempt to steal funds from unsuspecting users. Without a public bug bounty system, hackers do not have an obvious path of disclosure for reporting their findings. They also do not have any incentive to share their exploits and techniques, rather than using them for personal gain.

With this proposal, we’d like to start a BitShares bug bounty program for security researchers and penetration testers (...aka hackers!) to disclose important security vulnerabilities they find within the BitShares core protocol, reference wallet, and related code repositories.

The proposal will use allocated funds to reward those that step forward with exploits, relative to the overall risk assessment of the exploit. The higher the payout for critical bugs, the more incentive there will be to attract higher quality researchers, and ultimately providing better security coverage for the DEX.

Funds will also be used to build and maintain a website (https://hackthedex.io/) for reporting vulnerabilities. The website will include all the information needed for researchers to report a vulnerability, as well as an archive of bounty reports and a leaderboard to encourage a little friendly hacker competition. It will also lay the groundwork for future HackTheDEX worker proposals to improve the security and safety of BitShares as a whole.

Thanks to coordination with the foundation, worker proposal funds will be held in a BBF escrow account and unused funds will be refunded back to the network at the end of the proposal period.

For your consideration: https://www.bitshares.foundation/workers/2018-07-hackthedex

Thanks!

-- Matt

5
General Discussion / Re: About Japanese Translation for BitShares
« on: February 17, 2018, 01:14:53 am »
I made a new issue on Github for you: https://github.com/bitshares/bitshares-ui/issues/1186

Reply to the Github issue and attach the JSON file (if you aren't comfortable with using git).

One of the devs can pull it in. Can also attempt to attach here.

Thanks for contributing!  :)

6
Excited to see these deployed and what it'll mean for performance.

If you need any help, let me know. I've managed HAProxy clusters in the past.

7
Yeah, it sounds like a solid proposal. Let's do it.

Pages: [1]