• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

Dash Bug Bounty Program now open to public

jimbursch

Well-known member
The Dash Bug Bounty Program is now open to the public:
https://bugcrowd.com/dashdigitalcash

By opening the program to the public, Dash is inviting more than 60,000 registered and verified Bugcrowd security experts around the world to detect issues on behalf of Dash and be rewarded in bug bounty payments. That means as more vulnerabilities are discovered and fixed, and Dash will be more secure as a result.

The Dash Bug Bounty Program is a result of a proposal submitted by the DashIncubator project and was funded in the August Dash budget cycle. Thanks to the backing of the MNO network, Dash is able to boast having the best-funded bug bounty program in crypto currency industry.

Dash engaged BugCrowd ,the leader in crowdsourced security testing, to set up and help manage the program. Bugcrowd connects Dash to a crowd of tens of thousands of security researchers to identify critical software vulnerabilities. With a fully-managed program, Dash can harness the expertise of BugCrowd to manage the Dash bounty program in the safest, most secure and efficient manner.

Since the private launch of the program in August, several bugs have been reported and approximately $2,600 in bounties have been paid out by the program.

For regular updates about the Dash Bug Bounty Program, visit:
https://www.dash.org/forum/threads/dash-bug-bounty-program.16100/
 
Excellent job. How do we define how much each bug is worth? Do we have any tiers for bugs?
 
Excellent job. How do we define how much each bug is worth? Do we have any tiers for bugs?

When a bug is reported through the Bugcrowd platform, a Bugcrowd engineer evaluates the report to determine its legitimacy, make sure the report is complete and the bug can be reproduced. Then the engineer assigns a priority on a 1-5 scale, with 1 being the most severe. Then I review the report and pass it along to the Dash Core Team. We can accept or reject the report, or change the priority, and then make the bounty payment.

Here is the schedule of bounty payments:

Rewards:

Priority
Reward
P1 $5,000 - $10,000
P2 $1,000 - $5,000
P3 $500 - $1000
P4 $100 - $500

For more about how Bugcrowd evaluates reports:
https://bugcrowd.com/vulnerability-rating-taxonomy
 
When a bug is reported through the Bugcrowd platform, a Bugcrowd engineer evaluates the report to determine its legitimacy, make sure the report is complete and the bug can be reproduced. Then the engineer assigns a priority on a 1-5 scale, with 1 being the most severe. Then I review the report and pass it along to the Dash Core Team. We can accept or reject the report, or change the priority, and then make the bounty payment.

Here is the schedule of bounty payments:

Rewards:

Priority
Reward
P1 $5,000 - $10,000
P2 $1,000 - $5,000
P3 $500 - $1000
P4 $100 - $500

For more about how Bugcrowd evaluates reports:
https://bugcrowd.com/vulnerability-rating-taxonomy


Great! We have about 345k USD for this program that will run for 3 months.
Do we have any data on Bugcrowd about any median numbers of bugs they discover and any median number of USD they are rewarded (per month or something similar)?
I wonder if they are going to be able to plough their way through all the available budget.
 
The program will be running for 12 months.

Because we are very different from Bugcrowd's typical clients, I'm not sure how informative median data would be for this program.

I doubt that we will be paying out many bounties; certainly not many high priority bounties -- if there were many bugs/vulnerabilities, it would have killed Dash by now. That's not to say we won't find any, but I'm confident we won't be running out the budget.
 
The program will be running for 12 months.

Because we are very different from Bugcrowd's typical clients, I'm not sure how informative median data would be for this program.

I doubt that we will be paying out many bounties; certainly not many high priority bounties -- if there were many bugs/vulnerabilities, it would have killed Dash by now. That's not to say we won't find any, but I'm confident we won't be running out the budget.

Yeah, I also believe that the bounties will be few and we won't be seeing any budget shortages.
After the 12 months what will happen to the remaining budget? Do we continue the project with the leftover budget ? I believe until then new code (Evolution) will be available to the public.
 
Nice work !!!

For transparency and easy check up, is there a document listing the bugs, its correspondant priority and its correspondant paid reward ?
 
Dash is a marketer's dream. So many innovations and industry firsts. When the Core team finally inks the deal with the marketing firm, they will have plenty of ammunition to work with.
 
Back
Top