Bug bounty and/or security audit?

alex9

Member
Feb 4, 2017
57
7
48
Yesterday, a vulnerability exploit in Bitcoin Unlimited (BU) was launched, capable of "knocking down" a node using a specially crafted message.

I believe that in connection with the latest developments around Dash (price increase and as a consequence - increased attention to Dash, DDoS attack on the Dash network), attention to the security of Dash from a wide range of grey-hat and black-hat hackers is almost inevitable.

In my experience (15 years of development and 11 years of security analysis), I know that the developer and the cracker are looking at the same code in different ways. The BU bug remained unnoticed for 9 months and eventually led to drop of 70% BU nodes.

Also, I'm inclined to agree with the fairly common opinion that no one reads the code of large projects, and therefore it's pretty naive to hope that serious bugs will be discovered by random enthusiasts and added to Issues on Github.

Don't you think, dear developers, it is advisable to run a bug bounty program and/or hire a contractor to audit security (as, for example, did it in VeraCrypt)?
 
  • Like
Reactions: GNULinuxGuy

jimbursch

Well-known Member
Mar 5, 2017
837
502
163
57
An independently administered bug bounty program funded by the Budget sounds like an awesome idea. I have zero experience in this area but would very much like to learn more.

A quick search of bug bounty programs returned https://bugcrowd.com/
 

GrandMasterDash

Grizzled Member
Masternode Owner/Operator
Jul 12, 2015
3,145
1,241
1,183
I agree there needs to an ongoing body that deals with code audits. But I also think the coders must be disarmed of their ability to implement features and policies that nobody voted for.