Dash Bug Bounty Program now open to public

jimbursch

Active Member
Mar 5, 2017
837
499
133
56
The Dash Bug Bounty Program is now open to the public:
https://bugcrowd.com/dashdigitalcash

By opening the program to the public, Dash is inviting more than 60,000 registered and verified Bugcrowd security experts around the world to detect issues on behalf of Dash and be rewarded in bug bounty payments. That means as more vulnerabilities are discovered and fixed, and Dash will be more secure as a result.

The Dash Bug Bounty Program is a result of a proposal submitted by the DashIncubator project and was funded in the August Dash budget cycle. Thanks to the backing of the MNO network, Dash is able to boast having the best-funded bug bounty program in crypto currency industry.

Dash engaged BugCrowd ,the leader in crowdsourced security testing, to set up and help manage the program. Bugcrowd connects Dash to a crowd of tens of thousands of security researchers to identify critical software vulnerabilities. With a fully-managed program, Dash can harness the expertise of BugCrowd to manage the Dash bounty program in the safest, most secure and efficient manner.

Since the private launch of the program in August, several bugs have been reported and approximately $2,600 in bounties have been paid out by the program.

For regular updates about the Dash Bug Bounty Program, visit:
https://www.dash.org/forum/threads/dash-bug-bounty-program.16100/
 

ichigo13

Member
Masternode Owner/Operator
Jul 6, 2014
42
30
58
Excellent job. How do we define how much each bug is worth? Do we have any tiers for bugs?
 

jimbursch

Active Member
Mar 5, 2017
837
499
133
56
Excellent job. How do we define how much each bug is worth? Do we have any tiers for bugs?
When a bug is reported through the Bugcrowd platform, a Bugcrowd engineer evaluates the report to determine its legitimacy, make sure the report is complete and the bug can be reproduced. Then the engineer assigns a priority on a 1-5 scale, with 1 being the most severe. Then I review the report and pass it along to the Dash Core Team. We can accept or reject the report, or change the priority, and then make the bounty payment.

Here is the schedule of bounty payments:

Rewards:

Priority
Reward
P1 $5,000 - $10,000
P2 $1,000 - $5,000
P3 $500 - $1000
P4 $100 - $500

For more about how Bugcrowd evaluates reports:
https://bugcrowd.com/vulnerability-rating-taxonomy
 
  • Like
Reactions: bhkien

ichigo13

Member
Masternode Owner/Operator
Jul 6, 2014
42
30
58
When a bug is reported through the Bugcrowd platform, a Bugcrowd engineer evaluates the report to determine its legitimacy, make sure the report is complete and the bug can be reproduced. Then the engineer assigns a priority on a 1-5 scale, with 1 being the most severe. Then I review the report and pass it along to the Dash Core Team. We can accept or reject the report, or change the priority, and then make the bounty payment.

Here is the schedule of bounty payments:

Rewards:

Priority
Reward
P1 $5,000 - $10,000
P2 $1,000 - $5,000
P3 $500 - $1000
P4 $100 - $500

For more about how Bugcrowd evaluates reports:
https://bugcrowd.com/vulnerability-rating-taxonomy

Great! We have about 345k USD for this program that will run for 3 months.
Do we have any data on Bugcrowd about any median numbers of bugs they discover and any median number of USD they are rewarded (per month or something similar)?
I wonder if they are going to be able to plough their way through all the available budget.
 

jimbursch

Active Member
Mar 5, 2017
837
499
133
56
The program will be running for 12 months.

Because we are very different from Bugcrowd's typical clients, I'm not sure how informative median data would be for this program.

I doubt that we will be paying out many bounties; certainly not many high priority bounties -- if there were many bugs/vulnerabilities, it would have killed Dash by now. That's not to say we won't find any, but I'm confident we won't be running out the budget.
 

ichigo13

Member
Masternode Owner/Operator
Jul 6, 2014
42
30
58
The program will be running for 12 months.

Because we are very different from Bugcrowd's typical clients, I'm not sure how informative median data would be for this program.

I doubt that we will be paying out many bounties; certainly not many high priority bounties -- if there were many bugs/vulnerabilities, it would have killed Dash by now. That's not to say we won't find any, but I'm confident we won't be running out the budget.
Yeah, I also believe that the bounties will be few and we won't be seeing any budget shortages.
After the 12 months what will happen to the remaining budget? Do we continue the project with the leftover budget ? I believe until then new code (Evolution) will be available to the public.
 

Leonidas

Active Member
Oct 22, 2016
396
142
113
Nice work !!!

For transparency and easy check up, is there a document listing the bugs, its correspondant priority and its correspondant paid reward ?
 

solarguy

Active Member
Mar 15, 2017
867
413
133
60
Dash is a marketer's dream. So many innovations and industry firsts. When the Core team finally inks the deal with the marketing firm, they will have plenty of ammunition to work with.