Welcome to the Dash Forum!

Please sign up to discuss the most innovative cryptocurrency!

Dash Bug Bounty Program

Discussion in 'Projects' started by jimbursch, Aug 2, 2017.

  1. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    592
    Likes Received:
    366
    Trophy Points:
    133
    #1 jimbursch, Aug 2, 2017
    Last edited: Sep 25, 2017
    • Informative Informative x 2
  2. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    592
    Likes Received:
    366
    Trophy Points:
    133
    The Dash Bug Bounty Program is scheduled to launch privately on the Bugcrowd platform on August 8, and we are planning to launch publicly approximately two weeks after that.

    Previously we had planned on running the program privately for at least a month, but after discussion with the Bugcrowd technical lead, we decided we can go public much sooner, given that we are dealing with open source software that is already exposed to the public.

    Now that we have received the second budget payout, we can add applications to the bounty program. I am open to suggestions about what apps should be added to the program. I think that we should add selected wallet apps, such as the iOS wallet, Android wallet, and the CoPay wallet when it is available.
     
    • Like Like x 1
  3. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    592
    Likes Received:
    366
    Trophy Points:
    133
    The Dash Bug Bounty Program has been launched privately on the Bugcrowd platform!

    Naturally, for security reasons I won't be able to report publicly on bugs found until after the bugs are fixed. I am reporting any vulnerabilities found to Holger Schinzel (@flare ) , who leads QA for the Core Team.
     
    • Like Like x 3
    • Useful Useful x 1
  4. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    592
    Likes Received:
    366
    Trophy Points:
    133
    • Like Like x 2
  5. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    2,035
    Likes Received:
    145
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    Can you report the number of bugs discovered and their severity, without revealing what the bugs are?
    And also what is the response time of the core team? How long does it takes to fix the discovered bugs?
    Total obscurity is not a good thing. The Dash community should be aware of the statistics.
     
  6. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    592
    Likes Received:
    366
    Trophy Points:
    133
    Since the launch of the program, only one vulnerability has been reported. The reported vulnerability involved the dash.org website, so it was out-of-scope for the program, therefore it doesn't qualify for a bounty payment, but we can reward the researcher with "kudos".

    The vulnerability could have leaked sensitive information, but further evaluation determined that it did not contain sensitive information. The vulnerability was reported to Holger Schinzel (@flare ) and he passed it along to the appropriate Core Team members.

    Personally, it's kind of exciting seeing the program work at surfacing an issue. But the program is just as successful when nothing gets reported.
     
    • Like Like x 2
  7. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    592
    Likes Received:
    366
    Trophy Points:
    133
    In the last week two bugs have been discovered, but since they were discovered by me (and confirmed by @UdjinM6), obviously I am excluded from collecting bounties.

    The two bugs are:

    listreceivedbyaddress includes send addresses
    https://github.com/dashpay/dash/issues/1576

    Incorrect RPC output for mixing txes
    https://github.com/dashpay/dash/issues/1574

    Right now the Dash Bug Bounty program is scheduled to be opened to the public on 9/6. When that happens, there will be PR (press release, blog post, social media) that goes out at the same time.

    In the meantime, Bugcrowd is inviting additional researchers to the private program.
     
    • Like Like x 3
    • Winner Winner x 1
  8. codablock

    codablock Official Dash Dev
    Core Developer

    Joined:
    Mar 29, 2017
    Messages:
    29
    Likes Received:
    37
    Trophy Points:
    13
    Hey Jim,
    what's the state of the private program? When is it going to become public? I recently found a vulnerability which I decided to report immediately to core instead of waiting for the Bugcowd program to become public. I probably just found the next one related to instant send and now I'm again in the dilemma of deciding about when to report it.
     
    • Like Like x 3
  9. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    2,035
    Likes Received:
    145
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    Dash is not ment to reward workers or the new generation.
    Dash is just the medium for the greedy generation of 2014-2016 to get richer and richer.
    Dash is ment to reward the early adopters and the investors/gamblers, not the people who work honestly.
    You are losing your time here.
    Look at me, look how I became. Dont be like me.
    Dont follow my road, dont spent your time.
    Invest you time wisely. Go away.
    And if you find something good, please dont forget the advice I gave you and inform me about it.
    But If you finnaly decide to stay here, expect it and be prepared. The greedy Dash generation of 2014-2016 will devore you.
     
    #9 demo, Sep 1, 2017
    Last edited: Sep 1, 2017
    demo
    This message by demo has been hidden due to negative ratings. (Show message)
    • Trolling Trolling x 4
  10. Super8

    Super8 Active Member

    Joined:
    Mar 27, 2015
    Messages:
    296
    Likes Received:
    153
    Trophy Points:
    103
    Stop trolling demo. If you're bitter because you haven't invested your money in Dash... and yet u continue to invest your time in denigrating the experience of people who want to get on board and join Dash, then why will u not follow your own advice and go away to somewhere else. Please, for your own happiness (and I assure you the happiness of many here) please just GO!
     
  11. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    2,035
    Likes Received:
    145
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    What are you talking about? Are you nuts?
    @codablock is NOT an investor. He is a WORKER.
    I suggest to the workers (and to the rest slaves of the greedy dash generation of 2014-2016) to go away.
    I would never bother to give any good advice to investors/gamblers because I detest them. And whatever bad will happen to them in the future, I will be glad of it, because they deserve their fate. There is no chance for the people who invest in chance. Sooner or later Tyche goddess will tear them apart.

    @Super8 I desperately wish to go. Please help me. Suggest me a better place.
     
    #11 demo, Sep 1, 2017
    Last edited: Sep 1, 2017
    • Trolling Trolling x 2
  12. codablock

    codablock Official Dash Dev
    Core Developer

    Joined:
    Mar 29, 2017
    Messages:
    29
    Likes Received:
    37
    Trophy Points:
    13
    Please don't speak for me, I can do that by my own. You don't know if I'm a worker or an investor or maybe both.
    And please stop this discussion here, what you try to discuss is not what my question was about.
     
    • Optimistic Optimistic x 1
  13. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    2,035
    Likes Received:
    145
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    Ok I ll stop the discussion here. But your above first sentence is wrong. I dont know whether you are both worker and investor, but you are a certainly a worker, and I know that.
     
    #13 demo, Sep 1, 2017
    Last edited: Sep 1, 2017
  14. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    592
    Likes Received:
    366
    Trophy Points:
    133
    Hi @codablock

    I'm out on vacation right now and will be back Monday morning. I will get in touch with you directly on Monday. I'm aware of your report and we will make arrangements for your situation.

    Thank you very much for the work you have done! I will be in touch.
     
    • Like Like x 2
  15. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    592
    Likes Received:
    366
    Trophy Points:
    133
    In the last two weeks, two vulnerabilities in the Dash Core code have been reported.

    Local Privilege Escalation during installation (UAC bypass)
    https://github.com/dashpay/dash/issues/1612
    Priority: P3
    Bounty paid: $600
    This vulnerability was reported by a Bugcrowd researcher through the Bugcrowd platform, and the bounty was paid in USD through the Bugcrowd platform.

    potential quorum exploit method
    https://www.dash.org/forum/threads/...due-to-potential-quorum-exploit-method.16492/
    Priority: P2
    Bounty paid: 6.4 Dash (~$2000 USD)
    This vulnerability was reported directly to the Dash Core Team and the bounty was paid out directly in Dash to the two developers who found the vulnerability.
     
    • Like Like x 8
    • Winner Winner x 1
  16. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    592
    Likes Received:
    366
    Trophy Points:
    133
    • Like Like x 2
  17. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    592
    Likes Received:
    366
    Trophy Points:
    133
    As a reminder, the Dash Bug Bounty Program is located here:
    https://bugcrowd.com/dashdigitalcash

    It has been pretty quiet with the program for that last couple weeks. No bounties have been paid out. We did receive several reports that were out-of-scope. One involved an obscure vulnerability in the Windows operating system that could lead to privilege escalation if the attacker has admin privileges. Another reported git repositories that are publicly exposed on the dash.org domain, which has been reported to @tungfa and @kot .

    As soon as the Dashpay Wallet (or Dash CoPay wallet) is available it will be added to the Dash Bug Bounty program. We will be coordinating with @Chuck Williams .

    Soon Dash Messaging will be added to the program as a kudos-only app. Kudos-only means that bounties are not paid in cash, but are paid in Bugcrowd's internal points system.

    Feel free to contact me if anyone has any questions.
     
    • Like Like x 3
  18. tungfa

    tungfa Administrator
    Dash Core Team Foundation Member Moderator

    Joined:
    Apr 9, 2014
    Messages:
    7,837
    Likes Received:
    6,166
    Trophy Points:
    1,283
    tx buddy
    team is aware and will soon mittigate that issue by moving to a different publication approach
     
  19. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    2,035
    Likes Received:
    145
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    #19 demo, Oct 7, 2017
    Last edited: Oct 8, 2017
    • Like Like x 1
  20. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    592
    Likes Received:
    366
    Trophy Points:
    133
    Hi @demo

    Good catch! Thank you for reporting this issue. I see that @UdjinM6 reviewed the issue, gave it a thumbs-up and a fix has been submitted.

    I will give this a P4 priority rating, which has a bounty range of $100-$500 USD (see https://bugcrowd.com/dashdigitalcash). Does 0.5 Dash sound like a reasonable bounty? If so, private message me your Dash address and I will send you the bounty payment.

    Thanks again for strengthening Dash by reporting this bug.
     
    • Friendly Friendly x 1
  21. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    2,035
    Likes Received:
    145
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    Whatever tip you decide to give me, its fine for me!
    My address is always public as shown in my profile, because it will be used for the universal dividend foundation.
    So please send the tip there:

    dash:XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX

    To be honest. The bug I discovered is totally insignificant, because it doesnt affect the system during the runtime. It is just a nuisance during the compilation. This nuisance can be avoided if you upgrade to qt > 5.2, which can easily be done by almost everyone (except the ones who are using really old computers or the ones who are using unflexible embedded hardware devices). Fortunately after @UdjinM6 fixed the bug, not even this nuisance exists anymore. In conclusion, 0.5 dash is more than enough as a reward for the discovery of this bug.
     
    #21 demo, Oct 9, 2017
    Last edited: Oct 10, 2017
  22. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    592
    Likes Received:
    366
    Trophy Points:
    133
    • Friendly Friendly x 2

Share This Page