Welcome to the Dash Forum!

Please sign up to discuss the most innovative cryptocurrency!

Dash Bug Bounty Program now open to public

Discussion in 'General Discussion' started by jimbursch, Sep 6, 2017.

  1. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    The Dash Bug Bounty Program is now open to the public:
    https://bugcrowd.com/dashdigitalcash

    By opening the program to the public, Dash is inviting more than 60,000 registered and verified Bugcrowd security experts around the world to detect issues on behalf of Dash and be rewarded in bug bounty payments. That means as more vulnerabilities are discovered and fixed, and Dash will be more secure as a result.

    The Dash Bug Bounty Program is a result of a proposal submitted by the DashIncubator project and was funded in the August Dash budget cycle. Thanks to the backing of the MNO network, Dash is able to boast having the best-funded bug bounty program in crypto currency industry.

    Dash engaged BugCrowd ,the leader in crowdsourced security testing, to set up and help manage the program. Bugcrowd connects Dash to a crowd of tens of thousands of security researchers to identify critical software vulnerabilities. With a fully-managed program, Dash can harness the expertise of BugCrowd to manage the Dash bounty program in the safest, most secure and efficient manner.

    Since the private launch of the program in August, several bugs have been reported and approximately $2,600 in bounties have been paid out by the program.

    For regular updates about the Dash Bug Bounty Program, visit:
    https://www.dash.org/forum/threads/dash-bug-bounty-program.16100/
     
    • Like Like x 10
    • Winner Winner x 2
    • Agree Agree x 1
  2. daf

    daf Active Member

    Joined:
    Oct 18, 2015
    Messages:
    174
    Likes Received:
    126
    Trophy Points:
    103
    Excellent work. Applause.
     
  3. ichigo13

    ichigo13 Member
    Masternode Owner/Operator

    Joined:
    Jul 6, 2014
    Messages:
    41
    Likes Received:
    29
    Trophy Points:
    58
    Excellent job. How do we define how much each bug is worth? Do we have any tiers for bugs?
     
  4. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    When a bug is reported through the Bugcrowd platform, a Bugcrowd engineer evaluates the report to determine its legitimacy, make sure the report is complete and the bug can be reproduced. Then the engineer assigns a priority on a 1-5 scale, with 1 being the most severe. Then I review the report and pass it along to the Dash Core Team. We can accept or reject the report, or change the priority, and then make the bounty payment.

    Here is the schedule of bounty payments:

    Rewards:

    Priority
    Reward
    P1 $5,000 - $10,000
    P2 $1,000 - $5,000
    P3 $500 - $1000
    P4 $100 - $500

    For more about how Bugcrowd evaluates reports:
    https://bugcrowd.com/vulnerability-rating-taxonomy
     
    • Like Like x 1
    • Winner Winner x 1
    • Informative Informative x 1
  5. ichigo13

    ichigo13 Member
    Masternode Owner/Operator

    Joined:
    Jul 6, 2014
    Messages:
    41
    Likes Received:
    29
    Trophy Points:
    58

    Great! We have about 345k USD for this program that will run for 3 months.
    Do we have any data on Bugcrowd about any median numbers of bugs they discover and any median number of USD they are rewarded (per month or something similar)?
    I wonder if they are going to be able to plough their way through all the available budget.
     
  6. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    The program will be running for 12 months.

    Because we are very different from Bugcrowd's typical clients, I'm not sure how informative median data would be for this program.

    I doubt that we will be paying out many bounties; certainly not many high priority bounties -- if there were many bugs/vulnerabilities, it would have killed Dash by now. That's not to say we won't find any, but I'm confident we won't be running out the budget.
     
  7. ichigo13

    ichigo13 Member
    Masternode Owner/Operator

    Joined:
    Jul 6, 2014
    Messages:
    41
    Likes Received:
    29
    Trophy Points:
    58
    Yeah, I also believe that the bounties will be few and we won't be seeing any budget shortages.
    After the 12 months what will happen to the remaining budget? Do we continue the project with the leftover budget ? I believe until then new code (Evolution) will be available to the public.
     
  8. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    Yes, I anticipate that we will simply continue the program.
     
  9. Leonidas

    Leonidas Active Member

    Joined:
    Oct 22, 2016
    Messages:
    396
    Likes Received:
    142
    Trophy Points:
    113
    Nice work !!!

    For transparency and easy check up, is there a document listing the bugs, its correspondant priority and its correspondant paid reward ?
     
  10. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
  11. solarguy

    solarguy Active Member

    Joined:
    Mar 15, 2017
    Messages:
    868
    Likes Received:
    412
    Trophy Points:
    133
    Dash is a marketer's dream. So many innovations and industry firsts. When the Core team finally inks the deal with the marketing firm, they will have plenty of ammunition to work with.
     
  12. CaptAhab

    CaptAhab Member

    Joined:
    Mar 25, 2015
    Messages:
    102
    Likes Received:
    57
    Trophy Points:
    78
    Dash Address:
    XwUeFiUQz1qLurzcpzKBDUTPvj1Tzx3FYs
    Great work Jim
     

Share This Page