Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - blockchainprojectsbv

Pages: [1] 2
1
Stakeholder Proposals / [Draft][Worker Proposal] Global Marketing Board
« on: September 06, 2019, 02:13:12 pm »
Dear BitShares Community,

we have a new proposal that we would like to show the community and ask for feedback.


At this point, everything is open and we are happy for any and all constructive feedback.

Please note that some parts in the Chinese translation are still in English, once we have that corrected we will publish it also in the Chinese subforum.

Best regards,
  Stefan Schießl
  Blockchain Projects BV

2
Here are our comments:

Quote
Several critical reports have been submitted and fixed through HackTheDex, proof for its value and necessity.

In terms of Owasp vulnerability ratings, HTD auditors have not yet rated any publicly disclosed vulnerabilities as critical, so this is an inaccurate claim to make.

Refined the wording. This was not meant to reference the OWASP scale and was merely subjective.

Quote
The proposal will use allocated funds to reward those that step forward with exploits, relative to the overall risk assessment of the exploit.

Do you want vulnerability disclosure reports, or are you requesting the full development of weaponized exploits?

By the owasp rating guide, two vulnerability factors (https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#Vulnerability_Factors) incentivize the creation of automated metasploit modules.

All rewards are marked as "up to", and here is a quote from the proposal
Quote
To qualify for higher rewards, the submission should include everything
the auditing panel would need to reproduce and verify the vulnerability.
The submission should also be well-prepared and of high quality so that
it can be shared with the community as part of our transparency process.

We see your criticism in the process, and we will attempt to mitigate it. The new worker proposal will be using a new set of collaborative tools for auditors that will make the process clearer, and ultimately more transparent (the new tools would allow e.g. public fetching of the ticket status). It is our duty to make sure all auditors are fully aware of the OWASP factors/rating system and we will re-iterate on that.

Quote
How the vulnerability is scored, and the methods used to determine the score, are at the sole discretion of the panel chosen to audit the report

Since you're using the owasp vulnerability rating system, there shouldn't be undisclosed deviation from this scoring mechanism. I get not disclosing details before they're mitigated, but this comes off as a clause to avoid reporters successfully contesting low vulnerability ratings.

This is somewhat true as it is meant to give the final say to the audit panel. Several factors go into that calculation that would require full disclosure of reports, e.g.

- quality of report
- extent of attack vector provided, analysis and deduction of possible exploits
- completeness of report (hidden attack vectors that were found in review)

Disclosing that information would not be recommendable (at least we thought that) due to security concerns, and as such the calculation of reward may not be transparently comprehensible, not to the public, and in cases not even towards the reporter itself (at least not without NDA). We take it as our homework to research how other bounty programs handle such sensitive cases.

  • The turnaround time from submitting report to being in receipt of reward is multiple months. It's discouraging to wait months with an unknown payout status; if there was a faster turnaround time then researchers would be more confident in dedicating time towards HTD.
  • Reports which aren't vulnerabilities don't get responses & you can't check on progress of any submitted reports without manual telegram/email communications every couple weeks. Rejection emails would be great.

Certainly one of the biggest reasons for the change of collaborative tools, and as such I expect this to be no longer an issue (response on all submissions, status updates and finalized reports within weeks not months)

  • There has been no news update since late July 2018 nor changes to the website aside from populated reports/leaderboard/receipts. The organizer of the first HTD WP left the role & this role was filled by another community member without a blog update. What happened to Matt?

The dayjob dilemma appeared. Both Blockchain Projects and Ryan Fox are full-time working in the blockchain space.

  • One of my submissions broke the submission form, resulting in a partial report submission. Bug report for your bug report.

The submit form has been changed, it is now using local email client and highlights the submit email as well.

  • Final scores for vulnerabilities are not disclosed, only the grade category for Likelihood, Impact & Severity. This further distances the researcher from contesting low rewards. A simple final_owasp_rating:reward calculation would make researchers reward expectations more realistic months before final payout. The full disclosure of vulnerability details (inc final score) is an industry standard practiced by nvd.nist.gov , cvedetails.com and vuldb.com (etc..) which HTD aught to replicate so as to be more transparent.

Agreed, we will discuss how to refine the process in terms of disclosing the detailed OWASP scores.

  • It's the researcher's responsibility to report the vulnerability to nist/cvedetails/vuldb; HTD should take the initiative to boast about solved vulnerabilities to potentially attract veteran security researchers (and potentially devs/investors). Bitcoin has vulnerability reports on these websites.

Expect an update on that after we have discussed this internally.

  • Report 20180918A (reflected XSS vuln) has a high impact, whereas 20180728A (stored XSS vuln) and 20180801A (stored XSS vuln) have Medium impacts. Regardless of how they trigger (stored/reflected) the end result is identical (XSS attack). I believe that 20180728A and 20180801A aught to have been higher ranked & rewarded.

Once the new tools are setup we could reexamine those reports, no promises though. Please ping us then.

I love the HTD WP concept & don't hold any malice against anyone nor intend to grief/troll, I wish to simply improve the HTD process. I'll be voting to support this WP and hope that the above information helps.

And thank you for that!

Best regards,
  Blockchain Projects BV
  Stefan Schießl

3
Dear BitShares Community,

we (Blockchain Projects BV and Ryan Fox) are happy to announce (finally) the renewal for HackTheDex:

https://www.bitshares.foundation/workers/2019-04-hackthedex

Abstract

Quote
HackTheDex bounty program was started in July 2018 and is consequently renewed now. Several critical reports have been submitted and fixed through HackTheDex, proof for its value and necessity. Those reports included several possibilities for chain halt and other severe attacks. An overview can be found here:

https://hackthedex.io/#/reports

BitShares is a decentralized exchange (DEX) built on top of delegated proof-of-stake (DPoS) blockchain technology. With all financial technology in the blockchain space, a major concern for users and traders is security.

If someone found a critical bug in the DEX, they might be tempted to exploit the bug, and attempt to steal funds from unsuspecting users. Without a public bug bounty system, hackers do not have an obvious path of disclosure for reporting their findings. They also do not have any incentive to share their exploits and techniques, rather than using them for personal gain.

With this proposal, we’d like to start a BitShares bug bounty program for security researchers and penetration testers (…aka hackers!) to disclose important security vulnerabilities they find within the BitShares core protocol, reference wallet, and related code repositories.

This proposal requires little funding as most of the budget can be transferred from the old worker .

Thanks for any feedback and your support,
  Blockchain Projects BV
  Stefan Schießl

4
Deploy and maintain independent BitShares infrastructure

Dear BitShares Community,

given the growth of the BitShares ecosystem, we (Blockchain Projects BV) have been providing a basic infrastructure with the just expired previous infrastructure worker.
That said, we would like to continue to provide the nodes and elastic search APIs that have been deployed with the last worker, the reference faucet has been moved to a new worker.

Read the full details here: https://www.bitshares.foundation/workers/2019-02-infrastructure

Voting for worker proposals: Votes can be done via the reference wallet. Visit Menu -> Votes -> Workers or enter your account name in the link https://wallet.bitshares.org/#/account/youraccountnamehere/voting

This worker proposal has id 1.14.164 and 201902-infrastructure.

Best Regards,
  Stefan Schießl
  Blockchain Projects BV

5
The positive feedback last week was perfect motivation to finalize our worker proposal for marketing, thanks to all comments. We have added some details on the interviews as well as negotiations progress

In short, please consider supporting our proposal! It is now on-chain for voting
https://www.bitshares.foundation/workers/2019-02-marketing-interviews-articles-and-visibility

6
Dear BitShares Community,

we have carefully crafted a marketing proposal with limited budget to advance in that sections

https://www.bitshares.foundation/workers/2019-02-marketing-interviews-articles-and-visibility

Our aim is to have milestones that are tangible and measurable while being inclusive towards the community by allowing freelancer contributions. We believe we can leverage our extensive network into the BitShares Community  to come to profound decisions in the selection of external contributions.

Best regards,
  Blockchain Projects BV
  Stefan Schießl

7
The BSIP is now on-chain and can be voted on
  https://www.bitshares.foundation/workers/2019-01-bsip57

8
Dear BitShares Community,

allow us to introduce a new BSIP that will enable off-chain activities that can be settled transparently on the blockchain, and implicitly enables the creation of savings accounts for the users that are locked a certain time period to enhance fund security.

For an easy read, please find the file here:
   https://github.com/blockchainprojects/bsips/blob/56_Managed_Vesting_Policies/bsip-0056.md

Any and all feedback are welcome, this BSIP is a draft so far, discussion will also be found in the respective pull request
   https://github.com/bitshares/bsips/pull/119

Best regards,
Stefan Schießl
Blockchain Projects BV

9
We at Blockchain Project B.V. have identified the need for an open source mobile wallet for quite
some time. There are a few apps in existence already. Some of them are in Java and open source,
others are closed-source.

A while ago, we went ahead and made an investment to develop a framework for android/ios phones
to work with the BitShares Platform. We explicitly chose for React Native so that Javascript developers
and/or react developers have it easy to get into app development for BitShares.

At this point, our plan is to Open Source first, and ask for funding of ongoing development (12 months).
The details are provided here:

     https://www.bitshares.foundation/workers/2018-10-mobile-sdk

Given my involvement and conflicts of interest through my position as proxy and committee member, I would like to
get a discussion about this going BEFORE the worker terms/conditions re frozen and put up for vote on chain.

So, please. Shoot your feedback!

10
Worker is active. Roadmap can be found here
https://github.com/blockchainprojects/bitshares-worker-infrastructure/blob/master/Roadmap_2018-07-infrastructure.pdf

Best regards,
  Stefan Schießl
  Blockchain Projects BV

11
The final report has been published now.

Best Regards,
   Stefan Schießl
   Blockchain Projects BV

12
Thank to all for the support, here in the forum and in telegram. The worker has now been created and is up for voting!

Voting for worker proposals: Votes can be done via the reference wallet. Visit Menu -> Votes -> Workers or enter your account name in the link https://wallet.bitshares.org/#/account/youraccountnamehere/voting

This worker proposal has id 1.14.108 and name 201807-infrastructure.

13
Quote
nodes - except bad SSL deployment at the very own beginning, working quite well ever since with uptime over 85% which is for me as hosting owner and bts nodes manager quite good.
Did you include the infrastructure nodes in your own monitoring? Would it be possible to get access to that? The new proposal will include public monitoring and statistics.

Quote
faucet - it's an unknown bug where everybody spent hours on, trying to fix it and simply it's just random. Simple as Reset is bringing it back.
This bug is known, but we could not isolate the exact origin of it, yet. Efforts will continue here.

Quote
3) Importance of having committee owned faucet and onboarding account that is paying fees and regulating half of the network is something that currently only BBF offers. Rest of the Faucets are 3rd party owned and nobody can affect them, Vouch for them or provide to users of BitShares any word of guarantee that they are safe and processed "by the book".
The BBF does not operate the faucet, nor did it vouch for it. It is the escrow of the past infrastructure worker, which the community voted for and thus entrusted us (Blockchain Projects BV) to operate the faucet using a committee-owned account for the account creation and referral program. We (Blockchain Projects BV) would be happy to do paid audits of any other faucet implementation.

Quote
4) Automation of services deployment such as Docker is quite important for Linux newbies. I believe this should be continued and maybe even setup as separate proposal where team could be bigger and specially focused on automation/distribution packaging of our software/services. I think it would encourage more people to step up and contribute, where both core and bbf would got less to do, just more to manage. As my personal opinion this would be bold move.
In the scope of this worker the automated builds for docker are included. Any efforts to further facilitate the distribution via separate worker proposals are very welcome.

Quote
5) I guess i'll see burned back that 800$ for WildCard SSL since you were/are running LetsEncrypt. Will Premium SSL's be this time from Positive/Comodo or you have something else in mind ?
A wildcard SSL certificate was not purchased in the last worker as it was optional, the corresponding funds will be returned, please wait for the final report of the old infrastructure worker. The new proposal will upgrade to premium SSL certificates.

Thank you for your feedback, I hope all of your questions have been answered.

Best regards,
 Stefan Schießl
 Blockchain Projects BV

14
A final report will be added soon to conclude this worker.

Best Regards,
   Stefan Schießl
   Blockchain Projects BV

15
Deploy and maintain independent BitShares infrastructure

Dear BitShares Community,

given the growth of the BitShares ecosystem, we (Blockchain Projects BV) have been providing a basic infrastructure with the just expired infrastructure worker (reports can be found here http://www.bitshares.foundation/workers/2017-12-infrastructure). The community has been contributing as well and the number of nodes for the reference wallet has been increased greatly.

That said, we would like to continue to provide the nodes that have been deployed with the last worker as well as the faucet for the reference wallet.

Read the full details here: http://www.bitshares.foundation/workers/2018-07-infrastructure

Voting for worker proposals: Votes can be done via the reference wallet. Visit Menu -> Votes -> Workers or enter your account name in the link https://wallet.bitshares.org/#/account/youraccountnamehere/voting

This worker proposal has id 1.14.108 and name 201807-infrastructure.

Update 27. July 2018:
Worker is active. Roadmap can be found here
https://github.com/blockchainprojects/bitshares-worker-infrastructure/blob/master/Roadmap_2018-07-infrastructure.pdf


Best Regards,
  Stefan Schießl
  Blockchain Projects BV

Pages: [1] 2