• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

Dash Bug Bounty Program

The MN network has approved funding to extend our partnership with Bugcrowd in operating the Dash Bug Bounty program for an additional year. We are now engaged with Bugcrowd until August, 2019. Thank you MNOs!

Bugcrowd invited me to San Francisco to attend their industry party event "Mayhem at the Mint" that is part of their involvement with the RSA Conference, a major security industry conference. I posted pictures here:

https://www.dash.org/forum/threads/...ted-at-major-security-conference-event.36802/

The next morning I sat for a video interview about the partnership of Dash Bug Bounty with Bugcrowd. Here's a tweet about it:

https://mobile.twitter.com/Bugcrowd/status/986680057635586048?s=20
 
Mentioned in the press:

Jim Bursch, Director of the DASH Bug Bounty Program, served as a virtual sheriff in the wild, wild west that is cryptocurrency with his “Bug bounty” program developed for DASH. The program offers monetary incentives for hackers to identify points of weakness in the security of DASH’s digital currency. This allows for improvements to be made faster, without lack of access to the right individuals. A problem shared is a problem halved. Or broken down into minute fractions with potentially thousands of people on the case.

https://coincentral.com/how-blockchain-can-fill-the-talent-gap-in-cybersecurity-and-ai/
 
Here's another pretty good article about the program:

https://themerkle.com/meet-the-man-who-created-a-bug-bounty-program-for-dash/

Meet the Man Who Created a Bug Bounty Program for Dash
You may not be familiar with Jim Bursch, but you certainly know about Dash, one of the top ten cryptocurrencies (and fighting tooth and nail to remain one). With a strong community supporting it and solid plans to improve its usability and security, Dash has a bug bounty program, and Bursch is the man behind it.
 
Since my last update, there have been two substantial bounties that have been out through the Bugcrowd platform:

$6,000 was paid to a researcher who discovered that the Dash Copay wallet could have it's PIN bruteforced by automating PIN attempts and resetting the device clock to bypass the security measure that limited the number of attempts in a given timeframe. Since the Dash Copay wallet was still in testing on testnet, this had no effect on users, but would have been a critical vulnerability had it reached production.

$5,000 was paid to a researcher and Dash community member who discovered a method of tracing Private Send transactions through limited mixing sessions. This was an edge case that was only rarely possible under specific circumstance. Nonetheless we wanted to reward the researcher for putting the time and effort into analyzing private send transactions and discovering a vulnerability, however rare.

Both of the above issues have been addressed and no longer exist.
 
$5,000 was paid to a researcher and Dash community member who discovered a method of tracing Private Send transactions through limited mixing sessions. This was an edge case that was only rarely possible under specific circumstance. Nonetheless we wanted to reward the researcher for putting the time and effort into analyzing private send transactions and discovering a vulnerability, however rare.
@UdjinM6 PR#2075 fixes this issue? Or is there something else?
 
Hi All,

I'm Bugcrowd's Director of Account Management and Customer Success. We've been trying to get in touch with Jim for the last couple of months to discuss continuing the program and figured this might be the best place now. @GrandMasterDash please feel free to drop me a note: jason (at) bugcrowd (dot) com.
 
Hi All,

I'm Bugcrowd's Director of Account Management and Customer Success. We've been trying to get in touch with Jim for the last couple of months to discuss continuing the program and figured this might be the best place now. @GrandMasterDash please feel free to drop me a note: jason (at) bugcrowd (dot) com.

I'm sorry to say, I have no idea where Jim is, I haven't seen him around here for a very long time. I'm not sure if it helps but you can submit proposals directly and easily at Dash Nexus, https://dashnexus.org/

If you're successful, the blockchain itself will pay you directly. So long as it's not outlandish, it would get my vote. Thanks.
 
Thanks, @GrandMasterDash , this is helpful. I'll have my team jump on this right away and we'll include some of the performance stats in the proposal. I found last year's vote and mimic that style for consistency.
 
Hi guys

I haven't been active on the forum for a while, but I do monitor.

I won't be able to manage the program for another year, but I'm glad to advise and assist continuation of the program. I will get in touch with @Jason Pitzen and do what I can to help. I'll also get in touch with Nathan Marley and get his thoughts on program continuation from the perspective of the Core Team.

ping @GrandMasterDash
 
Last edited:
Back
Top