Welcome to the Dash Forum!

Please sign up to discuss the most innovative cryptocurrency!

Dash Bug Bounty Program

Discussion in 'Projects' started by jimbursch, Aug 2, 2017.

  1. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    814
    Likes Received:
    472
    Trophy Points:
    133
    My apologies for the delayed update.

    Since my last update we have paid out 4 bounties to researchers who have responsibly and discretely reported issues to us.

    0.5 Dash was paid to a researcher who alerted us to a git repository that was publicly exposed on the dash.org domain, which could be hacked in a way that exposed credentials to access a MySQL database. This was a minor issue since the MySQL database in question did not contain sensitive information that was not salted/hashed. Nonetheless, it is concerning when credentials are exposed. Initially the researcher reported this issue through the Bugcrowd platform, which we received as information-only since the dash.org domain falls outside of the scope of the Bugcrowd program. The researcher followed up with additional information reported directly to the Core Team via email [email protected]. This led to closer examination of the issue and corrective action.

    0.5 Dash was paid to a researcher who discovered a bug in a CRM package that was being used on the dash.org domain, which exposed a MySQL database. Like the above issue, this was minor because the no sensitive data could be obtained from the database. The CRM package has been disabled.

    0.75 Dash was paid to a researcher who reported that we were running an out-of-date version of the Bamboo deployment server, which contained a vulnerability that could compromise Dash binaries. The solution was simply to update the server software.

    The above bounties involved only support systems for the Dash Core Team, and did not involve the Dash protocol or wallet software.

    On January 17th the Dash Copay wallet for Android, testnet, was added to the Bugcrowd bounty program. Initially the program is launched privately for invited, elite researchers with whom Bugcrowd has established relationships. Over the following weeks, more researchers are invited to the program until we decide to open the program to the public.

    Today we paid a $700 bounty through the Bugcrowd platform to a researcher who reported that a function was left in debugging mode, which led to the private key being recorded in a log file upon wallet creation. Because it would be extremely difficult/almost impossible for an attacker to access the log, it was determined that this issue poses very low risk. Nonetheless, a private key should not be recorded in a log. The fix was simple.
     
    • Like Like x 6
    • Winner Winner x 1
  2. BARADED

    BARADED New Member

    Joined:
    Feb 6, 2018
    Messages:
    1
    Likes Received:
    2
    Trophy Points:
    3
    Hello Dear @jimbursch ! My name is Zasinets Alexander. I are experts in the field of security and protection of sites from various threats. I found on your website threats. Please, if I will send the report on the security of your sites . You can pay my work to find threats to your website?
     
    #32 BARADED, Feb 6, 2018
    Last edited by a moderator: Feb 6, 2018
    • Like Like x 2
    • Funny Funny x 1
  3. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    814
    Likes Received:
    472
    Trophy Points:
    133
    Hi @BARADED

    Thank you for your interest in helping to secure Dash!

    There are a couple of different ways you can get involved and possibly earn a bounty payment.

    - You can join the Bugcrowd platform and submit vulnerability reports here: https://bugcrowd.com/dashdigitalcash
    - You can report vulnerabilities directly to the Core Team by email: [email protected]
    - Or you are welcome to submit a report directly to me via private message on this forum.

    Vulnerability reports are evaluated to determine their level of risk and bounties are paid out accordingly.
     
    • Like Like x 2
    • Useful Useful x 1
  4. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    814
    Likes Received:
    472
    Trophy Points:
    133
    Hello Dash community

    Here is an update on activities with the Dash Bug Bounty Program.

    Since the last update we have paid out only one bounty:

    1.0 Dash was paid to a researcher who reported a problem in Sentinel that could potentially be used to trip all masternodes into watchdog_expried status. This was given a low/medium priority because the probability of a successful attack was considered low due to validation checks in place. Nonetheless the problem warranted a code change and a bounty was paid to reward the researcher for reporting the issue. This issue was reported through private messaging on the Dash Forum.

    In December of last year, when Dash was seeing record high prices, I decided that it would be a good opportunity to take advantage of the price to engage a PR firm to help promote the Dash Bug Bounty Program. Since Amanda Johnson was working with PMBC Group and they are located here in Los Angeles, and they accept Dash, I entered into a six-month engagement with them to promote the Dash Bug Bounty program, as well as other Dash-related activities. Here are some results of their work:

    February 19, 2018: “School for Startups Radio” : DASH Cryptocurrency with Jim Bursch
    February 21, 2018: Insurance Business America (168,100 monthly visitors): Virtual sheriffs in the wild, wild west of digital currency
    February 25, 2018: Bitcoin Warrior (36,300 monthly visitors): Threat Profile: Knowing yours is the first step to improving online security
    January 26, 2018: Rescue a CEO (CEO Blog Nation) (21,000 monthly visits): “ 14 Entrepreneurs Explain Best Industries To Start a Business in 2018
    January 25, 2018: Digital LA: “Cryptocurrency Beyond Bitcoin: Ethereum, DASH, EOS, and new ICOs”.

    This is proving to be a very good investment and we can expect to see a lot more coverage in the coming months.

    Also due to the substantial increase in the value of Dash, I have decided that it is unwise for my Dash-related business activities be conducted as an individual, and that it would be wiser to engage in these activities under a corporation. To that end, I have created a Delaware C corp called FundChan Inc. and I have transferred all Dash-related assets to it. So, from a legal/business standpoint, the Dash Bug Bounty Program is now being operated on behalf of Dash by FundChan Inc.

    Finally, I have received a proposal from Bugcrowd to extend our agreement with them for another year at a substantial discount, which is essentially an incentive to renew early, since our current agreement does not end until August. To take advantage of this proposal now, I would have to submit a Dash Budget proposal valued at approximately $100,000. I will start a discussion in the Pre + Budget Proposal forum to see if this is something the community would like to do.
     
    • Like Like x 4
  5. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    814
    Likes Received:
    472
    Trophy Points:
    133
  6. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    814
    Likes Received:
    472
    Trophy Points:
    133
    After having a good talk with @QuantumExplorer , who now leads the mobile dev team for Dash Core, we are making some changes to our setup with Bugcrowd.

    On the Bugcrowd platform, we can cover five applications (4 cash bounties, 1 free kudos-only). Originally my plan was to use those slots for Dash Core wallet, and three Copay wallets (Android, iOS, Windows). After my discussion with @QuantumExplorer , we have decided to allocate one slot to the Dash iOS wallet and one to the Dash Android (@HashEngineering) wallet. The free kudos-only slot is filled by Dash Messaging.

    These changes will be going live soon. Since the Dash iOS and Android wallets are already live, these bounty programs will be launched to the public from the beginning (normally new additions are initially launched privately to invited researchers).

    It should be noted that the Dash Bug Bounty program is not just limited to the apps we cover on the Bugcrowd platform. All Dash products and critical systems are covered by the Dash Bug Bounty program and we will pay a bounty for validated vulnerabilities that are reported discretely and responsibly. Reports can be made to Core Team directly using the email address: [email protected].
     
    • Like Like x 1
  7. Antti Kaikkonen

    Antti Kaikkonen Active Member

    Joined:
    Jun 20, 2017
    Messages:
    152
    Likes Received:
    112
    Trophy Points:
    103
    Did you receive my receive my report in bugcrowd regarding this?
     
  8. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    814
    Likes Received:
    472
    Trophy Points:
    133
    Hi @Antti Kaikkonen -- I have asked @UdjinM6 to evaluate the report.
     
  9. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    814
    Likes Received:
    472
    Trophy Points:
    133
    The Dash Bug Bounty Program with Bugcrowd now includes the Dash iOS wallet and the Dash Android (@HashEngineering) wallet. You can view the program brief here:
    https://bugcrowd.com/dashdigitalcash

    The bounty program for the Dash Copay wallet has been paused temporarily.
     
    • Like Like x 1
  10. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    3,046
    Likes Received:
    214
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX

    The url of the android wallet you gave us, is invalid. Does this count as a bug? :p
     
  11. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    814
    Likes Received:
    472
    Trophy Points:
    133
    Good catch @demo!

    Sorry, but the program itself is out-of-scope. ;-)

    It is fixed now.
     
    • Like Like x 1
  12. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    814
    Likes Received:
    472
    Trophy Points:
    133
    The MN network has approved funding to extend our partnership with Bugcrowd in operating the Dash Bug Bounty program for an additional year. We are now engaged with Bugcrowd until August, 2019. Thank you MNOs!

    Bugcrowd invited me to San Francisco to attend their industry party event "Mayhem at the Mint" that is part of their involvement with the RSA Conference, a major security industry conference. I posted pictures here:

    https://www.dash.org/forum/threads/...ted-at-major-security-conference-event.36802/

    The next morning I sat for a video interview about the partnership of Dash Bug Bounty with Bugcrowd. Here's a tweet about it:

    https://mobile.twitter.com/Bugcrowd/status/986680057635586048?s=20
     
    • Informative Informative x 1
    • Friendly Friendly x 1
  13. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    814
    Likes Received:
    472
    Trophy Points:
    133
    Mentioned in the press:

    https://coincentral.com/how-blockchain-can-fill-the-talent-gap-in-cybersecurity-and-ai/
     
  14. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    814
    Likes Received:
    472
    Trophy Points:
    133
    Here's another pretty good article about the program:

    https://themerkle.com/meet-the-man-who-created-a-bug-bounty-program-for-dash/

    Meet the Man Who Created a Bug Bounty Program for Dash
    You may not be familiar with Jim Bursch, but you certainly know about Dash, one of the top ten cryptocurrencies (and fighting tooth and nail to remain one). With a strong community supporting it and solid plans to improve its usability and security, Dash has a bug bounty program, and Bursch is the man behind it.
     

Share This Page