[Worker] HackTheDEX.io -- a BitShares Bug Bounty Program

[R]

I really like the idea! It's better to deal with security head on, rather than letting it bite us in the rear!

I've got a couple ideas which I hope will warrant a tiny bounty.. hope the worker gets activated! 

[netdragonx]

Good Initiative. I am wondering do you have plan to extent the bounty program to gateway build on top of Bitshares especially those who develop their own wallet?

It would be difficult to do that, as many of these gateways fork the existing code and don't pull every fix. However, they will be indirectly supported by the program as long as they pull in updates as they are released.

In that same line of thought, it might be in our best interest to add a line of communication with the gateways, so that they are aware of the importance of certain vulnerabilities, so they aren't left hanging.

[netdragonx]

You have full support from me personally and all partners/collaborations I can affect to give you vote. Although, I would be asking for some proper time-tracking soft/app for those Audit hours, before any complicated workers with chaotic structure of many layers of teams get our votes in the future.

Why? We have 4 contacts total, 2 for 2 teams, where 1 contact is on both teams, and 1 contact with no team on this proposal is Audit on one of the teams in another worker. That contacts are assigning audits to specific devs, and without proper time-tracking, those devs can be wronged or network can be charged for more hours than it was done.

The UI team works via github tasks with estimated complexity assigned to each task by the project lead. The primary contact (usually repository maintainer) could be the one that estimates each vulnerability report as they come in, and either assigns or asks for a volunteer from the pool of experienced repository developers. I think that'd be the easiest approach for tracking time for less complex issues.

For serious or complex issues, time tracking could be useful, though, as the hacker may not know how to fix the issue, and an experienced team member might need to spend time figuring out how to resolve an issue that doesn't break the user experience.

[Digital Lucifer]

Hey everybody!

A couple months ago, while working with the UI/app team in my spare time, I realized that we don't have a formalized method for reporting serious vulnerabilities.

If a security researcher/hacker found a critical bug in the DEX, they might be tempted to exploit the bug, and attempt to steal funds from unsuspecting users. Without a public bug bounty system, hackers do not have an obvious path of disclosure for reporting their findings. They also do not have any incentive to share their exploits and techniques, rather than using them for personal gain.

With this proposal, we’d like to start a BitShares bug bounty program for security researchers and penetration testers (...aka hackers!) to disclose important security vulnerabilities they find within the BitShares core protocol, reference wallet, and related code repositories.

The proposal will use allocated funds to reward those that step forward with exploits, relative to the overall risk assessment of the exploit. The higher the payout for critical bugs, the more incentive there will be to attract higher quality researchers, and ultimately providing better security coverage for the DEX.

Funds will also be used to build and maintain a website (https://hackthedex.io/) for reporting vulnerabilities. The website will include all the information needed for researchers to report a vulnerability, as well as an archive of bounty reports and a leaderboard to encourage a little friendly hacker competition. It will also lay the groundwork for future HackTheDEX worker proposals to improve the security and safety of BitShares as a whole.

Thanks to coordination with the foundation, worker proposal funds will be held in a BBF escrow account and unused funds will be refunded back to the network at the end of the proposal period.

For your consideration: https://www.bitshares.foundation/workers/2018-07-hackthedex

Thanks!

-- Matt

Glad to see this level of stepping up to secure the Blockchain.

You have full support from me personally and all partners/collaborations I can affect to give you vote. Although, I would be asking for some proper time-tracking soft/app for those Audit hours, before any complicated workers with chaotic structure of many layers of teams get our votes in the future.

Why? We have 4 contacts total, 2 for 2 teams, where 1 contact is on both teams, and 1 contact with no team on this proposal is Audit on one of the teams in another worker. That contacts are assigning audits to specific devs, and without proper time-tracking, those devs can be wronged or network can be charged for more hours than it was done.

I'm calling Ryan Fox here to suggest a solution, as most experienced Business Dev around.

My personal suggestion would be TopTracker (FREE - Web, Mac, Win). Unlimited projects(workers), teams, members. Very nice exports in both CSV and PDF.

Cheers,

DL.

[Digital Lucifer]

Good Initiative. I am wondering do you have plan to extent the bounty program to gateway build on top of Bitshares especially those who develop their own wallet?

Tried for free 1 year ago, didn't went well. Now, if i get it right - Gateways (as 3rd party private businesses) with UIA tokens, earning fortune from fees and preventing market liquidity having highest market fees world wide, needs Reserve Pool to pay security audit and developers ? Over my dead body

If they wanna contribute, can make their gateways open-source, maybe then it makes sense. Until then, please a bit care about our precious funds rather than private businesses around.

P.S. I know you're good guy Bangzi, but advice based on personal experience... don't be too good. Be fair, its better

Thanks.

[Bangzi]

Good Initiative. I am wondering do you have plan to extent the bounty program to gateway build on top of Bitshares especially those who develop their own wallet?

[sschiessl]

This creates an incentive to disclose weaknesses, and as we see in from other bigger companies it is a very known approach to get attention from white hat initiatives and it cetainly only strengthens the network.

In the best case this worker creates curiosity but no one finds an actual exploit, reducing the cost to the monthly fixed fee. In the worst case the full 250k, but in such a case some serious flaws will be vanquished and that 250k save us bad publicity.

[netdragonx]

Hey everybody!

A couple months ago, while working with the UI/app team in my spare time, I realized that we don't have a formalized method for reporting serious vulnerabilities.

If a security researcher/hacker found a critical bug in the DEX, they might be tempted to exploit the bug, and attempt to steal funds from unsuspecting users. Without a public bug bounty system, hackers do not have an obvious path of disclosure for reporting their findings. They also do not have any incentive to share their exploits and techniques, rather than using them for personal gain.

With this proposal, we’d like to start a BitShares bug bounty program for security researchers and penetration testers (...aka hackers!) to disclose important security vulnerabilities they find within the BitShares core protocol, reference wallet, and related code repositories.

The proposal will use allocated funds to reward those that step forward with exploits, relative to the overall risk assessment of the exploit. The higher the payout for critical bugs, the more incentive there will be to attract higher quality researchers, and ultimately providing better security coverage for the DEX.

Funds will also be used to build and maintain a website (https://hackthedex.io/) for reporting vulnerabilities. The website will include all the information needed for researchers to report a vulnerability, as well as an archive of bounty reports and a leaderboard to encourage a little friendly hacker competition. It will also lay the groundwork for future HackTheDEX worker proposals to improve the security and safety of BitShares as a whole.

Thanks to coordination with the foundation, worker proposal funds will be held in a BBF escrow account and unused funds will be refunded back to the network at the end of the proposal period.

For your consideration: https://www.bitshares.foundation/workers/2018-07-hackthedex

Thanks!

-- Matt