Author Topic: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program  (Read 601 times)

0 Members and 1 Guest are viewing this topic.

Offline netdragonx

  • Newbie
  • *
  • Posts: 9
    • View Profile
[Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« on: July 10, 2018, 05:26:12 pm »
Hey everybody!

A couple months ago, while working with the UI/app team in my spare time, I realized that we don't have a formalized method for reporting serious vulnerabilities.

If a security researcher/hacker found a critical bug in the DEX, they might be tempted to exploit the bug, and attempt to steal funds from unsuspecting users. Without a public bug bounty system, hackers do not have an obvious path of disclosure for reporting their findings. They also do not have any incentive to share their exploits and techniques, rather than using them for personal gain.

With this proposal, we’d like to start a BitShares bug bounty program for security researchers and penetration testers (...aka hackers!) to disclose important security vulnerabilities they find within the BitShares core protocol, reference wallet, and related code repositories.

The proposal will use allocated funds to reward those that step forward with exploits, relative to the overall risk assessment of the exploit. The higher the payout for critical bugs, the more incentive there will be to attract higher quality researchers, and ultimately providing better security coverage for the DEX.

Funds will also be used to build and maintain a website (https://hackthedex.io/) for reporting vulnerabilities. The website will include all the information needed for researchers to report a vulnerability, as well as an archive of bounty reports and a leaderboard to encourage a little friendly hacker competition. It will also lay the groundwork for future HackTheDEX worker proposals to improve the security and safety of BitShares as a whole.

Thanks to coordination with the foundation, worker proposal funds will be held in a BBF escrow account and unused funds will be refunded back to the network at the end of the proposal period.

For your consideration: https://www.bitshares.foundation/workers/2018-07-hackthedex

Thanks!

-- Matt
twitter: @mattbeckman
steemit: netdragonx
telegram: @mattbeckman

Online sschiessl

Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #1 on: July 10, 2018, 09:01:49 pm »
This creates an incentive to disclose weaknesses, and as we see in from other bigger companies it is a very known approach to get attention from white hat initiatives and it cetainly only strengthens the network.

In the best case this worker creates curiosity but no one finds an actual exploit, reducing the cost to the monthly fixed fee. In the worst case the full 250k, but in such a case some serious flaws will be vanquished and that 250k save us bad publicity.

+1

Offline Bangzi

  • Full Member
  • ***
  • Posts: 128
    • View Profile
    • Steemit: Bangzi
  • BitShares: bangzi
Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #2 on: July 10, 2018, 11:47:08 pm »
Good Initiative. I am wondering do you have plan to extent the bounty program to gateway build on top of Bitshares especially those who develop their own wallet?

+5% +5% +5%
Please Vote for My Witness: Bangzi
My Blog: https://steemit.com/@bangzi
请投票支持比特股见证人: Bangzi

Offline Digital Lucifer

Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #3 on: July 11, 2018, 01:44:18 am »
Good Initiative. I am wondering do you have plan to extent the bounty program to gateway build on top of Bitshares especially those who develop their own wallet?

+5% +5% +5%

Tried for free 1 year ago, didn't went well. Now, if i get it right - Gateways (as 3rd party private businesses) with UIA tokens, earning fortune from fees and preventing market liquidity having highest market fees world wide, needs Reserve Pool to pay security audit and developers ? Over my dead body :)

If they wanna contribute, can make their gateways open-source, maybe then it makes sense. Until then, please a bit care about our precious funds rather than private businesses around.

P.S. I know you're good guy Bangzi, but advice based on personal experience... don't be too good. Be fair, its better :)

Thanks.
« Last Edit: July 11, 2018, 12:16:59 pm by Digital Lucifer »
Milos (Mike) Preocanin - General Manager @ Syntek Solutions
TOANDI Co., LTD. (BOI Approved) - TAX ID: 0205549016913 - 95/5 Moo 4 Siam Country Club Rd.
Nong Prue, Bang Lamung, Chonburi 20250, Thailand.

Offline Digital Lucifer

Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #4 on: July 11, 2018, 02:25:06 am »
Hey everybody!

A couple months ago, while working with the UI/app team in my spare time, I realized that we don't have a formalized method for reporting serious vulnerabilities.

If a security researcher/hacker found a critical bug in the DEX, they might be tempted to exploit the bug, and attempt to steal funds from unsuspecting users. Without a public bug bounty system, hackers do not have an obvious path of disclosure for reporting their findings. They also do not have any incentive to share their exploits and techniques, rather than using them for personal gain.

With this proposal, we’d like to start a BitShares bug bounty program for security researchers and penetration testers (...aka hackers!) to disclose important security vulnerabilities they find within the BitShares core protocol, reference wallet, and related code repositories.

The proposal will use allocated funds to reward those that step forward with exploits, relative to the overall risk assessment of the exploit. The higher the payout for critical bugs, the more incentive there will be to attract higher quality researchers, and ultimately providing better security coverage for the DEX.

Funds will also be used to build and maintain a website (https://hackthedex.io/) for reporting vulnerabilities. The website will include all the information needed for researchers to report a vulnerability, as well as an archive of bounty reports and a leaderboard to encourage a little friendly hacker competition. It will also lay the groundwork for future HackTheDEX worker proposals to improve the security and safety of BitShares as a whole.

Thanks to coordination with the foundation, worker proposal funds will be held in a BBF escrow account and unused funds will be refunded back to the network at the end of the proposal period.

For your consideration: https://www.bitshares.foundation/workers/2018-07-hackthedex

Thanks!

-- Matt

Glad to see this level of stepping up to secure the Blockchain.

You have full support from me personally and all partners/collaborations I can affect to give you vote. Although, I would be asking for some proper time-tracking soft/app for those Audit hours, before any complicated workers with chaotic structure of many layers of teams get our votes in the future.

Why? We have 4 contacts total, 2 for 2 teams, where 1 contact is on both teams, and 1 contact with no team on this proposal is Audit on one of the teams in another worker. That contacts are assigning audits to specific devs, and without proper time-tracking, those devs can be wronged or network can be charged for more hours than it was done.

I'm calling Ryan Fox here to suggest a solution, as most experienced Business Dev around.

My personal suggestion would be TopTracker (FREE - Web, Mac, Win). Unlimited projects(workers), teams, members. Very nice exports in both CSV and PDF.

Cheers,

DL.
« Last Edit: July 11, 2018, 02:33:49 am by Digital Lucifer »
Milos (Mike) Preocanin - General Manager @ Syntek Solutions
TOANDI Co., LTD. (BOI Approved) - TAX ID: 0205549016913 - 95/5 Moo 4 Siam Country Club Rd.
Nong Prue, Bang Lamung, Chonburi 20250, Thailand.

Offline netdragonx

  • Newbie
  • *
  • Posts: 9
    • View Profile
Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #5 on: July 11, 2018, 10:44:55 pm »
You have full support from me personally and all partners/collaborations I can affect to give you vote. Although, I would be asking for some proper time-tracking soft/app for those Audit hours, before any complicated workers with chaotic structure of many layers of teams get our votes in the future.

Why? We have 4 contacts total, 2 for 2 teams, where 1 contact is on both teams, and 1 contact with no team on this proposal is Audit on one of the teams in another worker. That contacts are assigning audits to specific devs, and without proper time-tracking, those devs can be wronged or network can be charged for more hours than it was done.

The UI team works via github tasks with estimated complexity assigned to each task by the project lead. The primary contact (usually repository maintainer) could be the one that estimates each vulnerability report as they come in, and either assigns or asks for a volunteer from the pool of experienced repository developers. I think that'd be the easiest approach for tracking time for less complex issues.

For serious or complex issues, time tracking could be useful, though, as the hacker may not know how to fix the issue, and an experienced team member might need to spend time figuring out how to resolve an issue that doesn't break the user experience.
twitter: @mattbeckman
steemit: netdragonx
telegram: @mattbeckman

Offline netdragonx

  • Newbie
  • *
  • Posts: 9
    • View Profile
Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #6 on: July 11, 2018, 10:49:21 pm »
Good Initiative. I am wondering do you have plan to extent the bounty program to gateway build on top of Bitshares especially those who develop their own wallet?

+5% +5% +5%

It would be difficult to do that, as many of these gateways fork the existing code and don't pull every fix. However, they will be indirectly supported by the program as long as they pull in updates as they are released.

In that same line of thought, it might be in our best interest to add a line of communication with the gateways, so that they are aware of the importance of certain vulnerabilities, so they aren't left hanging.
twitter: @mattbeckman
steemit: netdragonx
telegram: @mattbeckman

Offline Customminer

  • Sr. Member
  • ****
  • Posts: 467
  • Bitshares FTW!
    • View Profile
    • Gridcoin.US
  • GitHub: grctest
Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #7 on: July 12, 2018, 03:45:20 pm »
I really like the idea! It's better to deal with security head on, rather than letting it bite us in the rear!

I've got a couple ideas which I hope will warrant a tiny bounty.. hope the worker gets activated!  :D
Hertz, Beyond Bitshares, Gridcoin!

Offline netdragonx

  • Newbie
  • *
  • Posts: 9
    • View Profile
Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #8 on: July 15, 2018, 03:48:14 am »
I really like the idea! It's better to deal with security head on, rather than letting it bite us in the rear!

I've got a couple ideas which I hope will warrant a tiny bounty.. hope the worker gets activated!  :D

I would welcome your submissions! It's definitely a feature we should have. It's only a financial exchange with a $436M market cap. :)
twitter: @mattbeckman
steemit: netdragonx
telegram: @mattbeckman

Offline bench

  • Full Member
  • ***
  • Posts: 95
    • View Profile
Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #9 on: July 15, 2018, 03:31:33 pm »
Very important proposal, gets my vote.

Offline clockwork

  • Committee member
  • Full Member
  • *
  • Posts: 120
    • View Profile
  • BitShares: clockwork
Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #10 on: July 16, 2018, 08:37:37 am »
Voted

Offline netdragonx

  • Newbie
  • *
  • Posts: 9
    • View Profile
Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #11 on: July 17, 2018, 05:20:19 pm »
Thanks for voting, everybody! Proposal is currently active.

I'll be starting work this week on updating the website with what we'll need for vulnerability disclosures, reporting, and a leaderboard.
twitter: @mattbeckman
steemit: netdragonx
telegram: @mattbeckman

Offline netdragonx

  • Newbie
  • *
  • Posts: 9
    • View Profile
Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #12 on: July 26, 2018, 06:36:45 pm »
Hi everyone,

Website is live: https://hackthedex.io/

If you have any issues, questions, or feedback, let me know.

We can adjust rules as need be, so let's discuss what's best for the community.

Also, if you find the easter egg, let me know.  ;)
twitter: @mattbeckman
steemit: netdragonx
telegram: @mattbeckman

Offline clockwork

  • Committee member
  • Full Member
  • *
  • Posts: 120
    • View Profile
  • BitShares: clockwork
Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #13 on: July 26, 2018, 06:53:47 pm »
Hi everyone,

Website is live: https://hackthedex.io/

If you have any issues, questions, or feedback, let me know.

We can adjust rules as need be, so let's discuss what's best for the community.

Also, if you find the easter egg, let me know.  ;)

AWESOME

Offline clockwork

  • Committee member
  • Full Member
  • *
  • Posts: 120
    • View Profile
  • BitShares: clockwork
Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #14 on: July 26, 2018, 06:55:27 pm »
Also, if you find the easter egg, let me know.  ;)

<3 Weird Al

Online sschiessl

Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #15 on: July 26, 2018, 07:11:37 pm »
+1

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12620
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Re: [Worker] HackTheDEX.io -- a BitShares Bug Bounty Program
« Reply #16 on: July 27, 2018, 07:20:21 am »
+5%
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH