Welcome to the Dash Forum!

Please sign up to discuss the most innovative cryptocurrency!

Dash Bug Bounty Program

Discussion in 'Projects' started by jimbursch, Aug 2, 2017.

  1. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    #1 jimbursch, Aug 2, 2017
    Last edited: Sep 25, 2017
    • Informative Informative x 2
  2. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    The Dash Bug Bounty Program is scheduled to launch privately on the Bugcrowd platform on August 8, and we are planning to launch publicly approximately two weeks after that.

    Previously we had planned on running the program privately for at least a month, but after discussion with the Bugcrowd technical lead, we decided we can go public much sooner, given that we are dealing with open source software that is already exposed to the public.

    Now that we have received the second budget payout, we can add applications to the bounty program. I am open to suggestions about what apps should be added to the program. I think that we should add selected wallet apps, such as the iOS wallet, Android wallet, and the CoPay wallet when it is available.
     
    • Like Like x 1
  3. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    The Dash Bug Bounty Program has been launched privately on the Bugcrowd platform!

    Naturally, for security reasons I won't be able to report publicly on bugs found until after the bugs are fixed. I am reporting any vulnerabilities found to Holger Schinzel (@flare ) , who leads QA for the Core Team.
     
    • Like Like x 3
    • Useful Useful x 1
  4. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    • Like Like x 2
  5. demo

    demo Well-known Member

    Joined:
    Apr 23, 2016
    Messages:
    3,114
    Likes Received:
    262
    Trophy Points:
    153
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    Can you report the number of bugs discovered and their severity, without revealing what the bugs are?
    And also what is the response time of the core team? How long does it takes to fix the discovered bugs?
    Total obscurity is not a good thing. The Dash community should be aware of the statistics.
     
  6. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    Since the launch of the program, only one vulnerability has been reported. The reported vulnerability involved the dash.org website, so it was out-of-scope for the program, therefore it doesn't qualify for a bounty payment, but we can reward the researcher with "kudos".

    The vulnerability could have leaked sensitive information, but further evaluation determined that it did not contain sensitive information. The vulnerability was reported to Holger Schinzel (@flare ) and he passed it along to the appropriate Core Team members.

    Personally, it's kind of exciting seeing the program work at surfacing an issue. But the program is just as successful when nothing gets reported.
     
    • Like Like x 2
  7. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    In the last week two bugs have been discovered, but since they were discovered by me (and confirmed by @UdjinM6), obviously I am excluded from collecting bounties.

    The two bugs are:

    listreceivedbyaddress includes send addresses
    https://github.com/dashpay/dash/issues/1576

    Incorrect RPC output for mixing txes
    https://github.com/dashpay/dash/issues/1574

    Right now the Dash Bug Bounty program is scheduled to be opened to the public on 9/6. When that happens, there will be PR (press release, blog post, social media) that goes out at the same time.

    In the meantime, Bugcrowd is inviting additional researchers to the private program.
     
    • Like Like x 3
    • Winner Winner x 1
  8. codablock

    codablock Official Dash Dev
    Core Developer

    Joined:
    Mar 29, 2017
    Messages:
    92
    Likes Received:
    139
    Trophy Points:
    83
    Hey Jim,
    what's the state of the private program? When is it going to become public? I recently found a vulnerability which I decided to report immediately to core instead of waiting for the Bugcowd program to become public. I probably just found the next one related to instant send and now I'm again in the dilemma of deciding about when to report it.
     
    • Like Like x 3
  9. demo

    demo Well-known Member

    Joined:
    Apr 23, 2016
    Messages:
    3,114
    Likes Received:
    262
    Trophy Points:
    153
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    Dash is not ment to reward workers or the new generation.
    Dash is just the medium for the greedy generation of 2014-2016 to get richer and richer.
    Dash is ment to reward the early adopters and the investors/gamblers, not the people who work honestly.
    You are losing your time here.
    Look at me, look how I became. Dont be like me.
    Dont follow my road, dont spent your time.
    Invest you time wisely. Go away.
    And if you find something good, please dont forget the advice I gave you and inform me about it.
    But If you finnaly decide to stay here, expect it and be prepared. The greedy Dash generation of 2014-2016 will devore you.
     
    #9 demo, Sep 1, 2017
    Last edited: Sep 1, 2017
    demo
    This message by demo has been hidden due to negative ratings. (Show message)
    • Trolling Trolling x 4
  10. Super8

    Super8 Active Member

    Joined:
    Mar 27, 2015
    Messages:
    295
    Likes Received:
    152
    Trophy Points:
    103
    Stop trolling demo. If you're bitter because you haven't invested your money in Dash... and yet u continue to invest your time in denigrating the experience of people who want to get on board and join Dash, then why will u not follow your own advice and go away to somewhere else. Please, for your own happiness (and I assure you the happiness of many here) please just GO!
     
  11. demo

    demo Well-known Member

    Joined:
    Apr 23, 2016
    Messages:
    3,114
    Likes Received:
    262
    Trophy Points:
    153
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    What are you talking about? Are you nuts?
    @codablock is NOT an investor. He is a WORKER.
    I suggest to the workers (and to the rest slaves of the greedy dash generation of 2014-2016) to go away.
    I would never bother to give any good advice to investors/gamblers because I detest them. And whatever bad will happen to them in the future, I will be glad of it, because they deserve their fate. There is no chance for the people who invest in chance. Sooner or later Tyche goddess will tear them apart.

    @Super8 I desperately wish to go. Please help me. Suggest me a better place.
     
    #11 demo, Sep 1, 2017
    Last edited: Sep 1, 2017
    • Trolling Trolling x 2
  12. codablock

    codablock Official Dash Dev
    Core Developer

    Joined:
    Mar 29, 2017
    Messages:
    92
    Likes Received:
    139
    Trophy Points:
    83
    Please don't speak for me, I can do that by my own. You don't know if I'm a worker or an investor or maybe both.
    And please stop this discussion here, what you try to discuss is not what my question was about.
     
    • Optimistic Optimistic x 1
  13. demo

    demo Well-known Member

    Joined:
    Apr 23, 2016
    Messages:
    3,114
    Likes Received:
    262
    Trophy Points:
    153
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    Ok I ll stop the discussion here. But your above first sentence is wrong. I dont know whether you are both worker and investor, but you are a certainly a worker, and I know that.
     
    #13 demo, Sep 1, 2017
    Last edited: Sep 1, 2017
  14. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    Hi @codablock

    I'm out on vacation right now and will be back Monday morning. I will get in touch with you directly on Monday. I'm aware of your report and we will make arrangements for your situation.

    Thank you very much for the work you have done! I will be in touch.
     
    • Like Like x 2
  15. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    In the last two weeks, two vulnerabilities in the Dash Core code have been reported.

    Local Privilege Escalation during installation (UAC bypass)
    https://github.com/dashpay/dash/issues/1612
    Priority: P3
    Bounty paid: $600
    This vulnerability was reported by a Bugcrowd researcher through the Bugcrowd platform, and the bounty was paid in USD through the Bugcrowd platform.

    potential quorum exploit method
    https://www.dash.org/forum/threads/...due-to-potential-quorum-exploit-method.16492/
    Priority: P2
    Bounty paid: 6.4 Dash (~$2000 USD)
    This vulnerability was reported directly to the Dash Core Team and the bounty was paid out directly in Dash to the two developers who found the vulnerability.
     
    • Like Like x 8
    • Winner Winner x 1
  16. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    • Like Like x 2
  17. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    As a reminder, the Dash Bug Bounty Program is located here:
    https://bugcrowd.com/dashdigitalcash

    It has been pretty quiet with the program for that last couple weeks. No bounties have been paid out. We did receive several reports that were out-of-scope. One involved an obscure vulnerability in the Windows operating system that could lead to privilege escalation if the attacker has admin privileges. Another reported git repositories that are publicly exposed on the dash.org domain, which has been reported to @tungfa and @kot .

    As soon as the Dashpay Wallet (or Dash CoPay wallet) is available it will be added to the Dash Bug Bounty program. We will be coordinating with @Chuck Williams .

    Soon Dash Messaging will be added to the program as a kudos-only app. Kudos-only means that bounties are not paid in cash, but are paid in Bugcrowd's internal points system.

    Feel free to contact me if anyone has any questions.
     
    • Like Like x 3
  18. tungfa

    tungfa Administrator
    Dash Core Team Foundation Member Masternode Owner/Operator Moderator

    Joined:
    Apr 9, 2014
    Messages:
    8,906
    Likes Received:
    6,711
    Trophy Points:
    1,283
    tx buddy
    team is aware and will soon mittigate that issue by moving to a different publication approach
     
  19. demo

    demo Well-known Member

    Joined:
    Apr 23, 2016
    Messages:
    3,114
    Likes Received:
    262
    Trophy Points:
    153
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    #19 demo, Oct 7, 2017
    Last edited: Oct 8, 2017
    • Like Like x 1
  20. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    Hi @demo

    Good catch! Thank you for reporting this issue. I see that @UdjinM6 reviewed the issue, gave it a thumbs-up and a fix has been submitted.

    I will give this a P4 priority rating, which has a bounty range of $100-$500 USD (see https://bugcrowd.com/dashdigitalcash). Does 0.5 Dash sound like a reasonable bounty? If so, private message me your Dash address and I will send you the bounty payment.

    Thanks again for strengthening Dash by reporting this bug.
     
    • Friendly Friendly x 1
  21. demo

    demo Well-known Member

    Joined:
    Apr 23, 2016
    Messages:
    3,114
    Likes Received:
    262
    Trophy Points:
    153
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    Whatever tip you decide to give me, its fine for me!
    My address is always public as shown in my profile, because it will be used for the universal dividend foundation.
    So please send the tip there:

    dash:XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX

    To be honest. The bug I discovered is totally insignificant, because it doesnt affect the system during the runtime. It is just a nuisance during the compilation. This nuisance can be avoided if you upgrade to qt > 5.2, which can easily be done by almost everyone (except the ones who are using really old computers or the ones who are using unflexible embedded hardware devices). Fortunately after @UdjinM6 fixed the bug, not even this nuisance exists anymore. In conclusion, 0.5 dash is more than enough as a reward for the discovery of this bug.
     
    #21 demo, Oct 9, 2017
    Last edited: Oct 10, 2017
  22. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    • Friendly Friendly x 2
  23. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    Here is an update on the Dash Bug Bounty program.

    No bounties have been paid out either directly or through the Bugcrowd platform in the last month.

    Most of the activity on the Bugcrowd platform has been with Dash Messaging (https://d-msg.com), where 10 minor vulnerabilities were reported and resolved. The Dash Messaging bug bounty program does not pay out cash bounties, so it costs us nothing when bugs/vulnerabilities are found. Researchers are rewarded with Bugcrowd's internal points system ("kudos").

    With the release of Dash Core 12.2 at least three issues that involved the Dash Bug Bounty program have been resolved:

    Thanks to @codablock!

    Thanks to @demo!

    Thanks to me!

    I will be working with Bugcrowd to get renewed interest from researchers to test 12.2.

    The Bugcrowd Dash Bug Bounty program will expanded with the release of the Dash CoPay wallet, which will hopefully be happening within a month or so (just guessing).

    As a reminder, the Dash Bug Bounty program on Bugcrowd is located here:
    https://bugcrowd.com/dashdigitalcash

    We do pay bounties outside of the Bugcrowd program when they are appropriately reported and assessed by the Core Team.

    Feel free to contact me any time with questions, comments or suggestions.
     
    • Like Like x 5
  24. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    Only one bug report has been submitted on Dash Core since I last posted an update, and that report was evaluated to be more of an anomaly in the code, not a bug or vulnerability.

    There were several more reports submitted on Dash Messaging -- all minor, but much appreciated since they help to secure and improve the service.

    If anyone wants further details, feel free to message me directly, either here or https://d-msg.com/jimbursch

    We are preparing to add the Dash Copay wallet to the Bugcrowd platform, when the Copay wallet is released. I am coordinating with the Dash Copay team, led by @Chuck Williams . When the Public Beta Testnet version of the Dash Copay wallet is released we will be launching the Dash Copay Bug Bounty Program privately on the Bugcrowd platform. This means that Bugcrowd will be inviting selected/trusted researchers to examine the code and try to find bugs/vulnerabilities.

    I expect that the Copay bounty program will go like the Dash Core program, which means that there will be very few (if any) reports. This is because we are dealing with very sophisticated/complex code that has already been well tested and vetted. I think there are few Bugcrowd researchers who have the expertise to really tear apart the code. This is in contrast to Dash Messaging, which is a web app that is exactly what Bugcrowd researchers love to hack.

    This means that the primary value of the Dash Bug Bounty program is its PR value -- the reassurance it offers to users that the code is secure.

    With that in mind, I am working on a PR campaign to coincide with the release of the Copay wallet. The target audience for this campaign is:

    1. Dash Copay wallet users who are reassured that the wallet is backed by the best funded bug bounty program in all cryptocurrency
    2. Researchers/hackers who would like to test the security of the Dash Copay wallet, and do so in a responsible manner.

    With the rise of the price of Dash we have funding available in the budget to pay for a high quality, professional campaign. And we will be able to partner with Bugcrowd on this campaign, leveraging their resources.

    I will be starting a separate thread for details and updates about this campaign.
     
    • Like Like x 1
  25. UdjinM6

    UdjinM6 Official Dash Dev
    Dash Core Team Moderator

    Joined:
    May 20, 2014
    Messages:
    3,631
    Likes Received:
    3,532
    Trophy Points:
    1,183
    • Like Like x 1
  26. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
  27. UdjinM6

    UdjinM6 Official Dash Dev
    Dash Core Team Moderator

    Joined:
    May 20, 2014
    Messages:
    3,631
    Likes Received:
    3,532
    Trophy Points:
    1,183
    I'm not sure if it fits in any of these... I'd say it's more critical than RPC or compilation issues because it's a network-wide one on p2p-level but less critical than IS because there is no financial risk or network split risk and it can't be exploited directly, it's more like slight network misconfiguration causing some network disagreements for a relatively sort period of time but still pretty annoying for developers who were trying to figure it out :)
     
  28. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    @UdjinM6
    - sounds like it is between P3 and P4. Here is the reward scale in USD:

    P1 $5,000 - $10,000
    P2 $1,000 - $5,000
    P3 $500 - $1000
    P4 $100 - $500

    How does $500 sound?

    I'm having difficulty reactivating my bitcointalk account. Can you contact @sidhujag and have him/her contact me here on Dash Forum? I just need a confirmed Dash address to send the reward. You will have to help confirm the address since anyone watching this conversation could impersonate @sidhujag.
     
    • Like Like x 1
  29. UdjinM6

    UdjinM6 Official Dash Dev
    Dash Core Team Moderator

    Joined:
    May 20, 2014
    Messages:
    3,631
    Likes Received:
    3,532
    Trophy Points:
    1,183
    What is $? Make it 1 DASH :D
    No problem. I contacted him and asked if he is interested in the first place. If yes, I'll send you his Dash address in PMs.
     
    • Like Like x 2
    • Funny Funny x 1
  30. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    1 Dash it shall be!
     
    • Like Like x 3
    • Winner Winner x 1

Share This Page