Dash Bug Bounty Program

jimbursch

Active Member
Mar 5, 2017
837
499
133
56
My apologies for the delayed update.

Since my last update we have paid out 4 bounties to researchers who have responsibly and discretely reported issues to us.

0.5 Dash was paid to a researcher who alerted us to a git repository that was publicly exposed on the dash.org domain, which could be hacked in a way that exposed credentials to access a MySQL database. This was a minor issue since the MySQL database in question did not contain sensitive information that was not salted/hashed. Nonetheless, it is concerning when credentials are exposed. Initially the researcher reported this issue through the Bugcrowd platform, which we received as information-only since the dash.org domain falls outside of the scope of the Bugcrowd program. The researcher followed up with additional information reported directly to the Core Team via email [email protected]. This led to closer examination of the issue and corrective action.

0.5 Dash was paid to a researcher who discovered a bug in a CRM package that was being used on the dash.org domain, which exposed a MySQL database. Like the above issue, this was minor because the no sensitive data could be obtained from the database. The CRM package has been disabled.

0.75 Dash was paid to a researcher who reported that we were running an out-of-date version of the Bamboo deployment server, which contained a vulnerability that could compromise Dash binaries. The solution was simply to update the server software.

The above bounties involved only support systems for the Dash Core Team, and did not involve the Dash protocol or wallet software.

On January 17th the Dash Copay wallet for Android, testnet, was added to the Bugcrowd bounty program. Initially the program is launched privately for invited, elite researchers with whom Bugcrowd has established relationships. Over the following weeks, more researchers are invited to the program until we decide to open the program to the public.

Today we paid a $700 bounty through the Bugcrowd platform to a researcher who reported that a function was left in debugging mode, which led to the private key being recorded in a log file upon wallet creation. Because it would be extremely difficult/almost impossible for an attacker to access the log, it was determined that this issue poses very low risk. Nonetheless, a private key should not be recorded in a log. The fix was simple.
 

BARADED

New Member
Feb 6, 2018
1
2
3
35
Hello Dear @jimbursch ! My name is Zasinets Alexander. I are experts in the field of security and protection of sites from various threats. I found on your website threats. Please, if I will send the report on the security of your sites . You can pay my work to find threats to your website?
 
Last edited by a moderator:

jimbursch

Active Member
Mar 5, 2017
837
499
133
56
Hi @BARADED

Thank you for your interest in helping to secure Dash!

There are a couple of different ways you can get involved and possibly earn a bounty payment.

- You can join the Bugcrowd platform and submit vulnerability reports here: https://bugcrowd.com/dashdigitalcash
- You can report vulnerabilities directly to the Core Team by email: [email protected]
- Or you are welcome to submit a report directly to me via private message on this forum.

Vulnerability reports are evaluated to determine their level of risk and bounties are paid out accordingly.
 

jimbursch

Active Member
Mar 5, 2017
837
499
133
56
Hello Dash community

Here is an update on activities with the Dash Bug Bounty Program.

Since the last update we have paid out only one bounty:

1.0 Dash was paid to a researcher who reported a problem in Sentinel that could potentially be used to trip all masternodes into watchdog_expried status. This was given a low/medium priority because the probability of a successful attack was considered low due to validation checks in place. Nonetheless the problem warranted a code change and a bounty was paid to reward the researcher for reporting the issue. This issue was reported through private messaging on the Dash Forum.

In December of last year, when Dash was seeing record high prices, I decided that it would be a good opportunity to take advantage of the price to engage a PR firm to help promote the Dash Bug Bounty Program. Since Amanda Johnson was working with PMBC Group and they are located here in Los Angeles, and they accept Dash, I entered into a six-month engagement with them to promote the Dash Bug Bounty program, as well as other Dash-related activities. Here are some results of their work:

February 19, 2018: “School for Startups Radio” : DASH Cryptocurrency with Jim Bursch
February 21, 2018: Insurance Business America (168,100 monthly visitors): Virtual sheriffs in the wild, wild west of digital currency
February 25, 2018: Bitcoin Warrior (36,300 monthly visitors): Threat Profile: Knowing yours is the first step to improving online security
January 26, 2018: Rescue a CEO (CEO Blog Nation) (21,000 monthly visits): “ 14 Entrepreneurs Explain Best Industries To Start a Business in 2018
January 25, 2018: Digital LA: “Cryptocurrency Beyond Bitcoin: Ethereum, DASH, EOS, and new ICOs”.

This is proving to be a very good investment and we can expect to see a lot more coverage in the coming months.

Also due to the substantial increase in the value of Dash, I have decided that it is unwise for my Dash-related business activities be conducted as an individual, and that it would be wiser to engage in these activities under a corporation. To that end, I have created a Delaware C corp called FundChan Inc. and I have transferred all Dash-related assets to it. So, from a legal/business standpoint, the Dash Bug Bounty Program is now being operated on behalf of Dash by FundChan Inc.

Finally, I have received a proposal from Bugcrowd to extend our agreement with them for another year at a substantial discount, which is essentially an incentive to renew early, since our current agreement does not end until August. To take advantage of this proposal now, I would have to submit a Dash Budget proposal valued at approximately $100,000. I will start a discussion in the Pre + Budget Proposal forum to see if this is something the community would like to do.
 

jimbursch

Active Member
Mar 5, 2017
837
499
133
56
After having a good talk with @QuantumExplorer , who now leads the mobile dev team for Dash Core, we are making some changes to our setup with Bugcrowd.

On the Bugcrowd platform, we can cover five applications (4 cash bounties, 1 free kudos-only). Originally my plan was to use those slots for Dash Core wallet, and three Copay wallets (Android, iOS, Windows). After my discussion with @QuantumExplorer , we have decided to allocate one slot to the Dash iOS wallet and one to the Dash Android (@HashEngineering) wallet. The free kudos-only slot is filled by Dash Messaging.

These changes will be going live soon. Since the Dash iOS and Android wallets are already live, these bounty programs will be launched to the public from the beginning (normally new additions are initially launched privately to invited researchers).

It should be noted that the Dash Bug Bounty program is not just limited to the apps we cover on the Bugcrowd platform. All Dash products and critical systems are covered by the Dash Bug Bounty program and we will pay a bounty for validated vulnerabilities that are reported discretely and responsibly. Reports can be made to Core Team directly using the email address: [email protected].
 
  • Like
Reactions: splawik21

demo

Well-known Member
Apr 23, 2016
3,114
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
The Dash Bug Bounty Program with Bugcrowd now includes the Dash iOS wallet and the Dash Android (@HashEngineering) wallet. You can view the program brief here:
https://bugcrowd.com/dashdigitalcash

The bounty program for the Dash Copay wallet has been paused temporarily.

Dash Wallet
Have your Dash always with you, in your pocket! You pay by quickly scanning a QR code. As a merchant, you receive payments reliably and instantly. Dash Wallet is the first mobile Dash app.

Access:
iOS: Here
Android: Here
The url of the android wallet you gave us, is invalid. Does this count as a bug? :p
 

jimbursch

Active Member
Mar 5, 2017
837
499
133
56
The MN network has approved funding to extend our partnership with Bugcrowd in operating the Dash Bug Bounty program for an additional year. We are now engaged with Bugcrowd until August, 2019. Thank you MNOs!

Bugcrowd invited me to San Francisco to attend their industry party event "Mayhem at the Mint" that is part of their involvement with the RSA Conference, a major security industry conference. I posted pictures here:

https://www.dash.org/forum/threads/...ted-at-major-security-conference-event.36802/

The next morning I sat for a video interview about the partnership of Dash Bug Bounty with Bugcrowd. Here's a tweet about it:

https://mobile.twitter.com/Bugcrowd/status/986680057635586048?s=20
 

jimbursch

Active Member
Mar 5, 2017
837
499
133
56
Mentioned in the press:

Jim Bursch, Director of the DASH Bug Bounty Program, served as a virtual sheriff in the wild, wild west that is cryptocurrency with his “Bug bounty” program developed for DASH. The program offers monetary incentives for hackers to identify points of weakness in the security of DASH’s digital currency. This allows for improvements to be made faster, without lack of access to the right individuals. A problem shared is a problem halved. Or broken down into minute fractions with potentially thousands of people on the case.
https://coincentral.com/how-blockchain-can-fill-the-talent-gap-in-cybersecurity-and-ai/
 

jimbursch

Active Member
Mar 5, 2017
837
499
133
56
Here's another pretty good article about the program:

https://themerkle.com/meet-the-man-who-created-a-bug-bounty-program-for-dash/

Meet the Man Who Created a Bug Bounty Program for Dash
You may not be familiar with Jim Bursch, but you certainly know about Dash, one of the top ten cryptocurrencies (and fighting tooth and nail to remain one). With a strong community supporting it and solid plans to improve its usability and security, Dash has a bug bounty program, and Bursch is the man behind it.
 

jimbursch

Active Member
Mar 5, 2017
837
499
133
56
Since my last update, there have been two substantial bounties that have been out through the Bugcrowd platform:

$6,000 was paid to a researcher who discovered that the Dash Copay wallet could have it's PIN bruteforced by automating PIN attempts and resetting the device clock to bypass the security measure that limited the number of attempts in a given timeframe. Since the Dash Copay wallet was still in testing on testnet, this had no effect on users, but would have been a critical vulnerability had it reached production.

$5,000 was paid to a researcher and Dash community member who discovered a method of tracing Private Send transactions through limited mixing sessions. This was an edge case that was only rarely possible under specific circumstance. Nonetheless we wanted to reward the researcher for putting the time and effort into analyzing private send transactions and discovering a vulnerability, however rare.

Both of the above issues have been addressed and no longer exist.
 
Apr 9, 2018
44
20
48
$5,000 was paid to a researcher and Dash community member who discovered a method of tracing Private Send transactions through limited mixing sessions. This was an edge case that was only rarely possible under specific circumstance. Nonetheless we wanted to reward the researcher for putting the time and effort into analyzing private send transactions and discovering a vulnerability, however rare.
@UdjinM6 PR#2075 fixes this issue? Or is there something else?
 

GrandMasterDash

Well-known Member
Masternode Owner/Operator
Jul 12, 2015
2,739
976
183

Jason Pitzen

New Member
Jul 10, 2019
2
0
1
33
Hi All,

I'm Bugcrowd's Director of Account Management and Customer Success. We've been trying to get in touch with Jim for the last couple of months to discuss continuing the program and figured this might be the best place now. @GrandMasterDash please feel free to drop me a note: jason (at) bugcrowd (dot) com.
 

GrandMasterDash

Well-known Member
Masternode Owner/Operator
Jul 12, 2015
2,739
976
183
Hi All,

I'm Bugcrowd's Director of Account Management and Customer Success. We've been trying to get in touch with Jim for the last couple of months to discuss continuing the program and figured this might be the best place now. @GrandMasterDash please feel free to drop me a note: jason (at) bugcrowd (dot) com.
I'm sorry to say, I have no idea where Jim is, I haven't seen him around here for a very long time. I'm not sure if it helps but you can submit proposals directly and easily at Dash Nexus, https://dashnexus.org/

If you're successful, the blockchain itself will pay you directly. So long as it's not outlandish, it would get my vote. Thanks.
 

Jason Pitzen

New Member
Jul 10, 2019
2
0
1
33
Thanks, @GrandMasterDash , this is helpful. I'll have my team jump on this right away and we'll include some of the performance stats in the proposal. I found last year's vote and mimic that style for consistency.
 

jimbursch

Active Member
Mar 5, 2017
837
499
133
56
Hi guys

I haven't been active on the forum for a while, but I do monitor.

I won't be able to manage the program for another year, but I'm glad to advise and assist continuation of the program. I will get in touch with @Jason Pitzen and do what I can to help. I'll also get in touch with Nathan Marley and get his thoughts on program continuation from the perspective of the Core Team.

ping @GrandMasterDash
 
Last edited: