Dash Bug Bounty Program

The Dash Bug Bounty Program is scheduled to launch privately on the Bugcrowd platform on August 8, and we are planning to launch publicly approximately two weeks after that.

Previously we had planned on running the program privately for at least a month, but after discussion with the Bugcrowd technical lead, we decided we can go public much sooner, given that we are dealing with open source software that is already exposed to the public.

Now that we have received the second budget payout, we can add applications to the bounty program. I am open to suggestions about what apps should be added to the program. I think that we should add selected wallet apps, such as the iOS wallet, Android wallet, and the CoPay wallet when it is available.
 
The Dash Bug Bounty Program has been launched privately on the Bugcrowd platform!

Naturally, for security reasons I won't be able to report publicly on bugs found until after the bugs are fixed. I am reporting any vulnerabilities found to Holger Schinzel (@flare ) , who leads QA for the Core Team.
 
jimbursch said:
The Dash Bug Bounty Program has been launched privately on the Bugcrowd platform!

Naturally, for security reasons I won't be able to report publicly on bugs found until after the bugs are fixed. I am reporting any vulnerabilities found to Holger Schinzel (@flare ) , who leads QA for the Core Team.
Click to expand...

Can you report the number of bugs discovered and their severity, without revealing what the bugs are?
And also what is the response time of the core team? How long does it takes to fix the discovered bugs?
Total obscurity is not a good thing. The Dash community should be aware of the statistics.
 
demo said:
Can you report the number of bugs discovered and their severity, without revealing what the bugs are?
And also what is the response time of the core team? How long does it takes to fix the discovered bugs?
Click to expand...

Since the launch of the program, only one vulnerability has been reported. The reported vulnerability involved the dash.org website, so it was out-of-scope for the program, therefore it doesn't qualify for a bounty payment, but we can reward the researcher with "kudos".

The vulnerability could have leaked sensitive information, but further evaluation determined that it did not contain sensitive information. The vulnerability was reported to Holger Schinzel (@flare ) and he passed it along to the appropriate Core Team members.

Personally, it's kind of exciting seeing the program work at surfacing an issue. But the program is just as successful when nothing gets reported.
 
In the last week two bugs have been discovered, but since they were discovered by me (and confirmed by @UdjinM6), obviously I am excluded from collecting bounties.

The two bugs are:

listreceivedbyaddress includes send addresses
https://github.com/dashpay/dash/issues/1576

Incorrect RPC output for mixing txes
https://github.com/dashpay/dash/issues/1574

Right now the Dash Bug Bounty program is scheduled to be opened to the public on 9/6. When that happens, there will be PR (press release, blog post, social media) that goes out at the same time.

In the meantime, Bugcrowd is inviting additional researchers to the private program.
 
Hey Jim,
what's the state of the private program? When is it going to become public? I recently found a vulnerability which I decided to report immediately to core instead of waiting for the Bugcowd program to become public. I probably just found the next one related to instant send and now I'm again in the dilemma of deciding about when to report it.
 
codablock said:
Hey Jim,
what's the state of the private program? When is it going to become public? I recently found a vulnerability which I decided to report immediately to core instead of waiting for the Bugcowd program to become public. I probably just found the next one related to instant send and now I'm again in the dilemma of deciding about when to report it.
Click to expand...

Dash is not ment to reward workers or the new generation.
Dash is just the medium for the greedy generation of 2014-2016 to get richer and richer.
Dash is ment to reward the early adopters and the investors/gamblers, not the people who work honestly.
You are losing your time here.
Look at me, look how I became. Dont be like me.
Dont follow my road, dont spent your time.
Invest you time wisely. Go away.
And if you find something good, please dont forget the advice I gave you and inform me about it.
But If you finnaly decide to stay here, expect it and be prepared. The greedy Dash generation of 2014-2016 will devore you.
 
Last edited:
demo said:
Dash is not ment to reward workers or the new generation.
Dash is just the medium for the greedy generation of 2014-2016 to get richer and richer.
Dash is ment to reward the early adopters and the investors/gamblers, not the people who work honestly.
You are losing your time here.
Look at me, look how I became. Dont be like me.
Dont follow my road, dont spent your time.
Invest you time wisely. Go away.
And if you find something good, please dont forget the advice I gave you and inform me about it.
But If you finnaly decide to stay here, expect it and be prepared. The greedy Dash generation of 2014-2016 will devore you.
Click to expand...
Stop trolling demo. If you're bitter because you haven't invested your money in Dash... and yet u continue to invest your time in denigrating the experience of people who want to get on board and join Dash, then why will u not follow your own advice and go away to somewhere else. Please, for your own happiness (and I assure you the happiness of many here) please just GO!
 
Super8 said:
Stop trolling demo. If you're bitter because you haven't invested your money in Dash... and yet u continue to invest your time in denigrating the experience of people who want to get on board and join Dash, then why will u not follow your own advice and go away to somewhere else. Please, for your own happiness (and I assure you the happiness of many here) please just GO!
Click to expand...
What are you talking about? Are you nuts?
@codablock is NOT an investor. He is a WORKER.
I suggest to the workers (and to the rest slaves of the greedy dash generation of 2014-2016) to go away.
I would never bother to give any good advice to investors/gamblers because I detest them. And whatever bad will happen to them in the future, I will be glad of it, because they deserve their fate. There is no chance for the people who invest in chance. Sooner or later Tyche goddess will tear them apart.

@Super8 I desperately wish to go. Please help me. Suggest me a better place.
 
Last edited:
demo said:
What are you talking about? Are you nuts?
@codablock is NOT an investor. He is a WORKER.
I suggest to the workers (and to the rest slaves of the greedy dash generation of 2014-2016) to go away.
I would never give any good advice to investors/gambles because I detest them anyway. And whatever bad will happen to them in the future, I will be glad of it because they deserve their fate. There is not chance for the people who invest in chance.
Click to expand...
Please don't speak for me, I can do that by my own. You don't know if I'm a worker or an investor or maybe both.
And please stop this discussion here, what you try to discuss is not what my question was about.
 
codablock said:
You don't know if I'm a worker or an investor or maybe both. And please stop this discussion here, what you try to discuss is not what my question was about.
Click to expand...
Ok I ll stop the discussion here. But your above first sentence is wrong. I dont know whether you are both worker and investor, but you are a certainly a worker, and I know that.
 
Last edited:
Hi @codablock

I'm out on vacation right now and will be back Monday morning. I will get in touch with you directly on Monday. I'm aware of your report and we will make arrangements for your situation.

Thank you very much for the work you have done! I will be in touch.
 
In the last two weeks, two vulnerabilities in the Dash Core code have been reported.

Local Privilege Escalation during installation (UAC bypass)
https://github.com/dashpay/dash/issues/1612
Priority: P3
Bounty paid: $600
This vulnerability was reported by a Bugcrowd researcher through the Bugcrowd platform, and the bounty was paid in USD through the Bugcrowd platform.

potential quorum exploit method
https://www.dash.org/forum/threads/...due-to-potential-quorum-exploit-method.16492/
Priority: P2
Bounty paid: 6.4 Dash (~$2000 USD)
This vulnerability was reported directly to the Dash Core Team and the bounty was paid out directly in Dash to the two developers who found the vulnerability.
 
As a reminder, the Dash Bug Bounty Program is located here:
https://bugcrowd.com/dashdigitalcash

It has been pretty quiet with the program for that last couple weeks. No bounties have been paid out. We did receive several reports that were out-of-scope. One involved an obscure vulnerability in the Windows operating system that could lead to privilege escalation if the attacker has admin privileges. Another reported git repositories that are publicly exposed on the dash.org domain, which has been reported to @tungfa and @kot .

As soon as the Dashpay Wallet (or Dash CoPay wallet) is available it will be added to the Dash Bug Bounty program. We will be coordinating with @Chuck Williams .

Soon Dash Messaging will be added to the program as a kudos-only app. Kudos-only means that bounties are not paid in cash, but are paid in Bugcrowd's internal points system.

Feel free to contact me if anyone has any questions.
 
jimbursch said:
Another reported git repositories that are publicly exposed on the dash.org domain, which has been reported to @tungfa and @kot .
Click to expand...
tx buddy
team is aware and will soon mittigate that issue by moving to a different publication approach
 
Hi @demo

Good catch! Thank you for reporting this issue. I see that @UdjinM6 reviewed the issue, gave it a thumbs-up and a fix has been submitted.

I will give this a P4 priority rating, which has a bounty range of $100-$500 USD (see https://bugcrowd.com/dashdigitalcash). Does 0.5 Dash sound like a reasonable bounty? If so, private message me your Dash address and I will send you the bounty payment.

Thanks again for strengthening Dash by reporting this bug.
 
You must log in or register to reply here.
Back
Top