Bug Bounty proposal

[roadscape]

This is a great idea!

Developers are the most qualified to determine if someone's report qualifies for a bounty payout, so as xeroc suggested, a threshold multisig acct consisting of a few trusted developers would be perfect for this.

Question would be .. in which asset to pay the bounty? BTS, bitUSD, or maybe "real" BTC?

Chain bounties should be paid with the core token imo.

And who would fund the bounties.. committee, businesses, or a worker perhaps?

[xeroc]

Oh .. btw .. there are already $7k available to the committee from accumulated fees ..
I am not 100% sure but I assume the committee could spend them anytime

[xeroc]

A Bug Bounty Program is an excellent idea.
We should setup a multi-sig account and have it been filled with some money over time ... say 5% of max daily payout for some months ...

In meantime we can write up a page at bitshares.org to announce the bug bounty program ..
I really like this idea!

Question would be .. in which asset to pay the bounty? BTS, bitUSD, or maybe "real" BTC?

[noisy]

*To any mods that would attempt to move this post, please refrain from doing so, as this is not a concrete proposal, but rather a prompt for discussion.

There are three inevitable things in life: death, taxes and bugs in software. The features are important, but they are worth nothing if they are buggy.

Most of good cryptoexchanges has some kind of Bug Bounty. Example: https://www.coinbase.com/whitehat

Rewards
The minimum payout is $100 USD and an entry in our hall of fame for reporting a new security vulnerability which results in a code or configuration change on our part. There is no maximum reward, and we may award higher amounts based on the severity or creativity of the vulnerability found. Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect.

We use the following table as a guideline for determining reward amounts:

Vulnerability   Reward
Remote Code Execution   $10,000
Significant manipulation of account balance   $5,000
XSS/CSRF/Clickjacking affecting sensitive actions [1]   $5,000
Theft of privileged information [2]   $3,000
Partial authentication bypass   $1,000
Other XSS (excluding Self-XSS)   $1,000
Other vulnerability with clear potential for financial or data loss   $1,000
Other CSRF (excluding logout CSRF)   $250
Other best practice or defense in depth   $100

It is better to prevent bad fame and losing users in case when someone will decide to exploit some bugs.

I guess, we could also think about rewarding less serious bugs, which causing that webwallet becomes unresponsive, etc.




What do you think about that?