Dash Bug Bounty Program

[jimbursch]

This thread is for updates and technical discussion of the Dash Bug Bounty Program.

The Dash Bug Bounty Program is located here:

https://bugcrowd.com/dashdigitalcash

The Dash Bug Bounty Program is a DashIncubator project that is being managed by @jimbursch. Funding for the project was approved and initiated in August, 2017.

https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/

 

[jimbursch]

The Dash Bug Bounty Program is scheduled to launch privately on the Bugcrowd platform on August 8, and we are planning to launch publicly approximately two weeks after that.

Previously we had planned on running the program privately for at least a month, but after discussion with the Bugcrowd technical lead, we decided we can go public much sooner, given that we are dealing with open source software that is already exposed to the public.

Now that we have received the second budget payout, we can add applications to the bounty program. I am open to suggestions about what apps should be added to the program. I think that we should add selected wallet apps, such as the iOS wallet, Android wallet, and the CoPay wallet when it is available.

 

[jimbursch]

The Dash Bug Bounty Program has been launched privately on the Bugcrowd platform!

Naturally, for security reasons I won't be able to report publicly on bugs found until after the bugs are fixed. I am reporting any vulnerabilities found to Holger Schinzel (@flare ) , who leads QA for the Core Team.

 

[jimbursch]

Here is the announcement on the Bugcrowd blog about the launch of the Dash Bug Bounty Program:
https://blog.bugcrowd.com/dash-to-launch-bug-bounty-program-with-bugcrowd

 

[demo]

The Dash Bug Bounty Program has been launched privately on the Bugcrowd platform!

Naturally, for security reasons I won't be able to report publicly on bugs found until after the bugs are fixed. I am reporting any vulnerabilities found to Holger Schinzel (@flare ) , who leads QA for the Core Team.

Can you report the number of bugs discovered and their severity, without revealing what the bugs are?
And also what is the response time of the core team? How long does it takes to fix the discovered bugs?
Total obscurity is not a good thing. The Dash community should be aware of the statistics.

 

[jimbursch]

Can you report the number of bugs discovered and their severity, without revealing what the bugs are?
And also what is the response time of the core team? How long does it takes to fix the discovered bugs?

Since the launch of the program, only one vulnerability has been reported. The reported vulnerability involved the dash.org website, so it was out-of-scope for the program, therefore it doesn't qualify for a bounty payment, but we can reward the researcher with "kudos".

The vulnerability could have leaked sensitive information, but further evaluation determined that it did not contain sensitive information. The vulnerability was reported to Holger Schinzel (@flare ) and he passed it along to the appropriate Core Team members.

Personally, it's kind of exciting seeing the program work at surfacing an issue. But the program is just as successful when nothing gets reported.

 

[jimbursch]

In the last week two bugs have been discovered, but since they were discovered by me (and confirmed by @UdjinM6), obviously I am excluded from collecting bounties.

The two bugs are:

listreceivedbyaddress includes send addresses
https://github.com/dashpay/dash/issues/1576

Incorrect RPC output for mixing txes
https://github.com/dashpay/dash/issues/1574

Right now the Dash Bug Bounty program is scheduled to be opened to the public on 9/6. When that happens, there will be PR (press release, blog post, social media) that goes out at the same time.

In the meantime, Bugcrowd is inviting additional researchers to the private program.

 

[codablock]

Hey Jim,
what's the state of the private program? When is it going to become public? I recently found a vulnerability which I decided to report immediately to core instead of waiting for the Bugcowd program to become public. I probably just found the next one related to instant send and now I'm again in the dilemma of deciding about when to report it.

 

[demo]

Hey Jim,
what's the state of the private program? When is it going to become public? I recently found a vulnerability which I decided to report immediately to core instead of waiting for the Bugcowd program to become public. I probably just found the next one related to instant send and now I'm again in the dilemma of deciding about when to report it.

Dash is not ment to reward workers or the new generation.
Dash is just the medium for the greedy generation of 2014-2016 to get richer and richer.
Dash is ment to reward the early adopters and the investors/gamblers, not the people who work honestly.
You are losing your time here.
Look at me, look how I became. Dont be like me.
Dont follow my road, dont spent your time.
Invest you time wisely. Go away.
And if you find something good, please dont forget the advice I gave you and inform me about it.
But If you finnaly decide to stay here, expect it and be prepared. The greedy Dash generation of 2014-2016 will devore you.

 

[Super8]

Dash is not ment to reward workers or the new generation.
Dash is just the medium for the greedy generation of 2014-2016 to get richer and richer.
Dash is ment to reward the early adopters and the investors/gamblers, not the people who work honestly.
You are losing your time here.
Look at me, look how I became. Dont be like me.
Dont follow my road, dont spent your time.
Invest you time wisely. Go away.
And if you find something good, please dont forget the advice I gave you and inform me about it.
But If you finnaly decide to stay here, expect it and be prepared. The greedy Dash generation of 2014-2016 will devore you.

Stop trolling demo. If you're bitter because you haven't invested your money in Dash... and yet u continue to invest your time in denigrating the experience of people who want to get on board and join Dash, then why will u not follow your own advice and go away to somewhere else. Please, for your own happiness (and I assure you the happiness of many here) please just GO!

 

[demo]

Stop trolling demo. If you're bitter because you haven't invested your money in Dash... and yet u continue to invest your time in denigrating the experience of people who want to get on board and join Dash, then why will u not follow your own advice and go away to somewhere else. Please, for your own happiness (and I assure you the happiness of many here) please just GO!

What are you talking about? Are you nuts?
@codablock is NOT an investor. He is a WORKER.
I suggest to the workers (and to the rest slaves of the greedy dash generation of 2014-2016) to go away.
I would never bother to give any good advice to investors/gamblers because I detest them. And whatever bad will happen to them in the future, I will be glad of it, because they deserve their fate. There is no chance for the people who invest in chance. Sooner or later Tyche goddess will tear them apart.

@Super8 I desperately wish to go. Please help me. Suggest me a better place.

 

[codablock]

What are you talking about? Are you nuts?
@codablock is NOT an investor. He is a WORKER.
I suggest to the workers (and to the rest slaves of the greedy dash generation of 2014-2016) to go away.
I would never give any good advice to investors/gambles because I detest them anyway. And whatever bad will happen to them in the future, I will be glad of it because they deserve their fate. There is not chance for the people who invest in chance.

Please don't speak for me, I can do that by my own. You don't know if I'm a worker or an investor or maybe both.
And please stop this discussion here, what you try to discuss is not what my question was about.

 

[demo]

You don't know if I'm a worker or an investor or maybe both. And please stop this discussion here, what you try to discuss is not what my question was about.

Ok I ll stop the discussion here. But your above first sentence is wrong. I dont know whether you are both worker and investor, but you are a certainly a worker, and I know that.

 

[jimbursch]

Hi @codablock

I'm out on vacation right now and will be back Monday morning. I will get in touch with you directly on Monday. I'm aware of your report and we will make arrangements for your situation.

Thank you very much for the work you have done! I will be in touch.

 

[jimbursch]

In the last two weeks, two vulnerabilities in the Dash Core code have been reported.

Local Privilege Escalation during installation (UAC bypass)
https://github.com/dashpay/dash/issues/1612
Priority: P3
Bounty paid: $600
This vulnerability was reported by a Bugcrowd researcher through the Bugcrowd platform, and the bounty was paid in USD through the Bugcrowd platform.

potential quorum exploit method
https://www.dash.org/forum/threads/...due-to-potential-quorum-exploit-method.16492/
Priority: P2
Bounty paid: 6.4 Dash (~$2000 USD)
This vulnerability was reported directly to the Dash Core Team and the bounty was paid out directly in Dash to the two developers who found the vulnerability.

 

[jimbursch]

The Dash Bug Bounty program is now open to the public:

https://bugcrowd.com/dashdigitalcash

 

[jimbursch]

As a reminder, the Dash Bug Bounty Program is located here:
https://bugcrowd.com/dashdigitalcash

It has been pretty quiet with the program for that last couple weeks. No bounties have been paid out. We did receive several reports that were out-of-scope. One involved an obscure vulnerability in the Windows operating system that could lead to privilege escalation if the attacker has admin privileges. Another reported git repositories that are publicly exposed on the dash.org domain, which has been reported to @tungfa and @kot .

As soon as the Dashpay Wallet (or Dash CoPay wallet) is available it will be added to the Dash Bug Bounty program. We will be coordinating with @Chuck Williams .

Soon Dash Messaging will be added to the program as a kudos-only app. Kudos-only means that bounties are not paid in cash, but are paid in Bugcrowd's internal points system.

Feel free to contact me if anyone has any questions.

 

[tungfa]

Another reported git repositories that are publicly exposed on the dash.org domain, which has been reported to @tungfa and @kot .

tx buddy
team is aware and will soon mittigate that issue by moving to a different publication approach

 

[demo]

Hi @jimbursch
I discovered this tiny unimportant bug
https://github.com/dashpay/dash/issues/1671
Will you give me some tip for it?

 

[jimbursch]

Hi @demo

Good catch! Thank you for reporting this issue. I see that @UdjinM6 reviewed the issue, gave it a thumbs-up and a fix has been submitted.

I will give this a P4 priority rating, which has a bounty range of $100-$500 USD (see https://bugcrowd.com/dashdigitalcash). Does 0.5 Dash sound like a reasonable bounty? If so, private message me your Dash address and I will send you the bounty payment.

Thanks again for strengthening Dash by reporting this bug.

 

[demo]

Hi @demo

Good catch! Thank you for reporting this issue. I see that @UdjinM6 reviewed the issue, gave it a thumbs-up and a fix has been submitted.

I will give this a P4 priority rating, which has a bounty range of $100-$500 USD (see https://bugcrowd.com/dashdigitalcash). Does 0.5 Dash sound like a reasonable bounty? If so, private message me your Dash address and I will send you the bounty payment.

Thanks again for strengthening Dash by reporting this bug.

Whatever tip you decide to give me, its fine for me!
My address is always public as shown in my profile, because it will be used for the universal dividend foundation.
So please send the tip there:

dash:XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX

To be honest. The bug I discovered is totally insignificant, because it doesnt affect the system during the runtime. It is just a nuisance during the compilation. This nuisance can be avoided if you upgrade to qt > 5.2, which can easily be done by almost everyone (except the ones who are using really old computers or the ones who are using unflexible embedded hardware devices). Fortunately after @UdjinM6 fixed the bug, not even this nuisance exists anymore. In conclusion, 0.5 dash is more than enough as a reward for the discovery of this bug.

 

[jimbursch]

@demo - 0.5 Dash bounty payment has been sent!

https://chainz.cryptoid.info/dash/t...3f2b48db0fb44d6ca0733af5b3aa68d1c281ad3e8.htm

 

[jimbursch]

Here is an update on the Dash Bug Bounty program.

No bounties have been paid out either directly or through the Bugcrowd platform in the last month.

Most of the activity on the Bugcrowd platform has been with Dash Messaging (https://d-msg.com), where 10 minor vulnerabilities were reported and resolved. The Dash Messaging bug bounty program does not pay out cash bounties, so it costs us nothing when bugs/vulnerabilities are found. Researchers are rewarded with Bugcrowd's internal points system ("kudos").

With the release of Dash Core 12.2 at least three issues that involved the Dash Bug Bounty program have been resolved:

potential quorum exploit method
https://www.dash.org/forum/threads/...due-to-potential-quorum-exploit-method.16492/

Thanks to @codablock!

I discovered this tiny unimportant bug
https://github.com/dashpay/dash/issues/1671

Thanks to @demo!

listreceivedbyaddress includes send addresses
https://github.com/dashpay/dash/issues/1576

Thanks to me!

I will be working with Bugcrowd to get renewed interest from researchers to test 12.2.

The Bugcrowd Dash Bug Bounty program will expanded with the release of the Dash CoPay wallet, which will hopefully be happening within a month or so (just guessing).

As a reminder, the Dash Bug Bounty program on Bugcrowd is located here:
https://bugcrowd.com/dashdigitalcash

We do pay bounties outside of the Bugcrowd program when they are appropriately reported and assessed by the Core Team.

Feel free to contact me any time with questions, comments or suggestions.

 

[jimbursch]

Only one bug report has been submitted on Dash Core since I last posted an update, and that report was evaluated to be more of an anomaly in the code, not a bug or vulnerability.

There were several more reports submitted on Dash Messaging -- all minor, but much appreciated since they help to secure and improve the service.

If anyone wants further details, feel free to message me directly, either here or https://d-msg.com/jimbursch

We are preparing to add the Dash Copay wallet to the Bugcrowd platform, when the Copay wallet is released. I am coordinating with the Dash Copay team, led by @Chuck Williams . When the Public Beta Testnet version of the Dash Copay wallet is released we will be launching the Dash Copay Bug Bounty Program privately on the Bugcrowd platform. This means that Bugcrowd will be inviting selected/trusted researchers to examine the code and try to find bugs/vulnerabilities.

I expect that the Copay bounty program will go like the Dash Core program, which means that there will be very few (if any) reports. This is because we are dealing with very sophisticated/complex code that has already been well tested and vetted. I think there are few Bugcrowd researchers who have the expertise to really tear apart the code. This is in contrast to Dash Messaging, which is a web app that is exactly what Bugcrowd researchers love to hack.

This means that the primary value of the Dash Bug Bounty program is its PR value -- the reassurance it offers to users that the code is secure.

With that in mind, I am working on a PR campaign to coincide with the release of the Copay wallet. The target audience for this campaign is:

1. Dash Copay wallet users who are reassured that the wallet is backed by the best funded bug bounty program in all cryptocurrency
2. Researchers/hackers who would like to test the security of the Dash Copay wallet, and do so in a responsible manner.

With the rise of the price of Dash we have funding available in the budget to pay for a high quality, professional campaign. And we will be able to partner with Bugcrowd on this campaign, leveraging their resources.

I will be starting a separate thread for details and updates about this campaign.

 

[UdjinM6]

@jimbursch If you are looking for someone to reward for finding (and helping fixing!) a bug I would suggest this one https://bitcointalk.org/index.php?topic=421615.msg24864507#msg24864507 If I'm not mistaken this could be a long time overlooked bug which probably caused us weird random sync issues, so it's a well deserved reward imo

 

[jimbursch]

Thanks @UdjinM6

Just to confirm, it's @sidhujag who should be rewarded?

On a scale P1-P4 (see https://pages.bugcrowd.com/hubfs/PDFs/Bugcrowd-Vulnerability-Rating-Taxonomy.pdf) where would you put this issue?

 

[UdjinM6]

Thanks @UdjinM6

Just to confirm, it's @sidhujag who should be rewarded?

On a scale P1-P4 (see https://pages.bugcrowd.com/hubfs/PDFs/Bugcrowd-Vulnerability-Rating-Taxonomy.pdf) where would you put this issue?

I'm not sure if it fits in any of these... I'd say it's more critical than RPC or compilation issues because it's a network-wide one on p2p-level but less critical than IS because there is no financial risk or network split risk and it can't be exploited directly, it's more like slight network misconfiguration causing some network disagreements for a relatively sort period of time but still pretty annoying for developers who were trying to figure it out

 

[jimbursch]

@UdjinM6
- sounds like it is between P3 and P4. Here is the reward scale in USD:

P1 $5,000 - $10,000
P2 $1,000 - $5,000
P3 $500 - $1000
P4 $100 - $500

How does $500 sound?

I'm having difficulty reactivating my bitcointalk account. Can you contact @sidhujag and have him/her contact me here on Dash Forum? I just need a confirmed Dash address to send the reward. You will have to help confirm the address since anyone watching this conversation could impersonate @sidhujag.

 

[UdjinM6]

@UdjinM6
- sounds like it is between P3 and P4. Here is the reward scale in USD:

P1 $5,000 - $10,000
P2 $1,000 - $5,000
P3 $500 - $1000
P4 $100 - $500

How does $500 sound?

I'm having difficulty reactivating my bitcointalk account. Can you contact @sidhujag and have him/her contact me here on Dash Forum? I just need a confirmed Dash address to send the reward. You will have to help confirm the address since anyone watching this conversation could impersonate @sidhujag.

What is $? Make it 1 DASH
No problem. I contacted him and asked if he is interested in the first place. If yes, I'll send you his Dash address in PMs.

 

[jimbursch]

1 Dash it shall be!