Pre-Proposal: Dash Bug Bounty Program by BugCrowd

jimbursch

Well-known Member
Mar 5, 2017
837
501
163
57
<EDIT> This proposal has been submitted:
https://www.dashcentral.org/p/Dash-Bug-Bounty-Program-by-BugCrowd

Manually vote on this proposal (DashCore - Tools - Debugconsole):
gobject vote-many 76bd96f8c83b16ef06c4cf2527501d97f7c34762ad0fd2e47cedcd754f193522 funding yes

The amount of the proposal has been changed from pre-proposal to proposal due to USD exchange rate change.
</EDIT>


Pre-Proposal: Dash Bug Bounty Program by BugCrowd


Dash can and should have the best funded bug bounty program of all crypto currencies. With a robust bug bounty program, Dash can rightly make the following claims:

  • Dash code is the most secure because we offer the highest bounties to skilled developers to review infrastructure code.
  • Dash is the safest because hackers (white/gray/black) are incentivized to disclose hacks in a manner that is safe and discrete, instead of exploiting or selling hacks.

BugCrowd (https://bugcrowd.com) is the leader in crowdsourced security testing and will connect Dash to a crowd of tens of thousands of security researchers to identify critical software vulnerabilities. With a fully-managed program, Dash can harness the expertise of BugCrowd to manage the Dash bounty program in the safest, most secure and efficient manner.

3 monthly 300-Dash payments (900 Dash total)

This is a proposal for 900 Dash in 3 monthly payments (300 Dash/month $54k at $180 USD/Dash) to establish a fully-managed bug bounty program with BugCrowd for one year, which will be in place through the launch of Evolution.



DashBudgetWatch will manage the relationship with BugCrowd over the course of the year on behalf of Dash. Jim Bursch (@jimbursch), the director of DashBudgetWatch, will coordinate the bug bounty program with the Core Team to ensure that any vulnerabilities are safely reported and addressed.

This proposal includes the following items:

  • BugCrowd management fee for 5 Dash applications for 1 year
  • Reward pool (bounties fund)
  • BugCrowd Crowdcontrol Platform (triage, researcher matching, validation, payout)
  • DashBudgetWatch management fee (includes proposal fee)
  • Prudent reserve (funds set aside to mitigate Dash/USD exchange risk)

BugCrowd and DashBudgetWatch will issue detailed monthly reports of program activity. Where necessary, private reports will be given to the Core Team about any critical vulnerabilities that may be discovered.

About BugCrowd

Philip Da Silva is the representative from BugCrowd who is handling the Dash account. He will be available on this forum to answer any questions about BugCrowd.

About DashBudgetWatch

DashBudgetWatch (https://fundchan.com/dashbudgetwatch) is a project of @jimbursch, who has been an active member of the Dash community for several months. He founded the Los Angeles Dash Users Group and developed the Simple Dash Invoice (https://github.com/jimbursch/simple-dash-invoice). He is also the founder/developer of FundChan.com: funded channel messaging, which is denominated exclusively in Dash.

Addendum

Added 2017/06/21 -- Any unused funds left over after 1 year will be rolled into an extension of the program, possibly for another year, or barring extension of the program, will be donated to an appropriate outlet selected by the Dash community.

Added 2017/06/21 -- It will be made clear to BugCrowd that testing of exploits on the mainnet is prohibited by this program.

Added 2017/06/26 -- In response to a concern raised by the PEC, DashBudgetWatch and Jim Bursch will not be acting as an information escrow. The Core Team will have direct access to the BugCrowd platform and it is our goal to integrate BugCrowd with the Jira issue-tracking system utilized by the Core Team.
 
Last edited:
  • Like
Reactions: mastermined

jimbursch

Well-known Member
Mar 5, 2017
837
501
163
57
I have corresponded with both Ryan Taylor and Andy Freer of the Core Team and they have expressed support for a Dash bug bounty program and will cooperate with the program to address any vulnerabilities or bugs that are discovered.
 
  • Like
Reactions: martinf

AndyDark

Well-known Member
Sep 10, 2014
353
705
163
I have corresponded with both Ryan Taylor and Andy Freer of the Core Team and they have expressed support for a Dash bug bounty program and will cooperate with the program to address any vulnerabilities or bugs that are discovered.
Hi there,

I can confirm that i've corresponded with Jim. Without commenting on the specifics of this particular proposal, the Core devs believe incentivizing finding of bugs will result in fixing more bugs and get more devs involved, and we're happy to cooperate with any bug-bounty program in which the details are well specified regarding determining whether a bug is valid, severity of bug, and on what metric payouts would be made, and responsible disclosure is followed.

Best,
Andy Freer
 
  • Like
Reactions: akhavr

jimbursch

Well-known Member
Mar 5, 2017
837
501
163
57
Thanks @AndyDark!

in which the details are well specified regarding determining whether a bug is valid, severity of bug, and on what metric payouts would be made, and responsible disclosure is followed.
I'm going to have the BugCrowd reps address specifics of the program since they have much greater expertise than I. As you can see from the videos, they have a phenomenal platform and by utilizing their fully-managed program, we are able to tap in to their depth of experience.
 
  • Like
Reactions: AndyDark

Philip da silva

New Member
Jun 12, 2017
2
1
3
31
Hi,

My name is Philip Da Silva and I cover the Dash account. I'm happy to discuss Dash Bug Bounty Program in more details.

Before launching the program Bugcrowd will work with the Dash team on creating the Program Brief- Program Guidelines for the security researchers to follow. For examples, check out the Bugcrowd website "programs" page some public examples.

Bugcrowd’s Technical Operations Team (in-house Application Security Engineers) will handle all bug Triage and Validation. Any time a researcher submits a bug in the Dash Program, our Tech Ops team will take a look at the bug, make sure it’s valid, in scope, applicable, not a duplicate, assign a priority rating from P1 - P5 based on impact score, and the steps taken to reproduce the bug. Once our Tech Ops team has done their due diligence, we will send the bug to the Dash Development Team for confirmation and remediation.

Bugcrowd will provide Dash with our Vulnerability Rating Taxonomy which is a guideline for the researchers and Dash to follow on how to Prioritize Bugs based on Severity. I've attached our VRT for reference. Again, the VRT is a guideline that we provide our customers, but Dash has the ultimate authority to determine what you consider a P1 (business critical vulnerability) to a P5 (information bug).

Bugcrowd will also provide Dash with the Defensive Vulnerability Pricing Model which is another useful guideline for Dash to follow on Market Rate Prices for bugs.

Bugcrowd’s Customer Success Team will consult with Dash prior to launching the program to determine all program information for the researchers to follow. All this information will be included in the Dash Program Brief so the researchers have a guideline to follow when they begin to participate in the Dash Program.

The Dash Program will begin in Private, meaning it will not be advertised on the Bugcrowd website. Since the Dash Program will begin in Private, only security researchers from Bugcrowd’s Elite Private Tier will be invited to participate in the Dash Program.

Please let me know what other specific questions I can address!
 
  • Like
Reactions: alex9

tagawa

New Member
Jun 14, 2017
6
0
1
Very good idea - I'm surprised it hasn't been proposed already.

Quick question: Have other bounty platforms been considered such as Open Bug Bounty or HackerOne? I'm not saying it's a bad choice, just making sure all options have been looked into.
 

jimbursch

Well-known Member
Mar 5, 2017
837
501
163
57
I considered other platforms and looked closest at HackerOne and BugCrowd, and settled on BugCrowd because they were so responsive to my needs. As you can imagine, we are breaking new ground here and we need to work with a leading company that can be flexible and creative in dealing with the business issues that arise.
 

TheSingleton

Active Member
Masternode Owner/Operator
Mar 27, 2017
277
141
103
The hight cost was a bit of a turn-off but I guess you shouldn't be cheap when it comes to security and reliability so overall a Yes from me.
 

jimbursch

Well-known Member
Mar 5, 2017
837
501
163
57
Depending on how you look at it, the high cost is also a feature, supporting the claim that Dash will have the best-funded bug bounty program in all crypto currency.

The biggest variable in the cost is the fund for bounties. If we don't find vulnerabilities, we save money, but if we do find vulnerabilities and get them fixed, we will be very glad we had the funds.
 

tagawa

New Member
Jun 14, 2017
6
0
1
If we don't find vulnerabilities, we save money, but if we do find vulnerabilities and get them fixed, we will be very glad we had the funds.
That raises a good question about what would happen in the case of unused bounty. Would it be returned, earmarked for future use, or some other plan?

Sorry for so many questions but I figure they're likely to come up at the proposal stage anyway.
 

jimbursch

Well-known Member
Mar 5, 2017
837
501
163
57
If at the end of a year of the program we have unused funds we will have several options. The most likely is that we will use the funds to continue the program. Dash development will continue, and so will the need for the bounty program to help maintain the security and safety of Dash.
 

AndyDark

Well-known Member
Sep 10, 2014
353
705
163
Hi There

Just to confirm that i've chatted with Jim and the core devs about this proposal and in it's current form on DashCentral the core devs are happy to collaborate as needed with the proposal if the network approves it.

Cheers
Andy
 
Last edited:

Tallyho

Member
Mar 15, 2015
124
68
78
Proposal Evaluation Committee

Edit: An updated report was posted on 27th June. Please see here for the latest PEC report https://www.dash.org/forum/threads/...-program-by-bugcrowd.15321/page-2#post-131211

Hi jimbursch,

Here is your first PEC Report.

Couple of notes:
• There is NO pass/failure mark. The percentage simply allows us to create a Prioritized List of Evaluated Proposals. The idea being that a MNO with very little time can concentrate on Proposals at the bottom of the list only. MNO’s with more time will obviously look at all proposals as per normal.
• The evaluation also enables the Evaluators to look for scammers etc and red-flag a proposal that is a possible danger to Dash. They have more time and tools to look for the tell-tale signs.
• How did the Evaluators decide on marks: PEC Evaluator Guidelines https://goo.gl/Futw1d
• MNO’s have been very lenient in the past. So even if you have, what you might consider a low mark, you might still pass the Vote ;)
Most Important: The evaluation is to give you an idea of where you can improve your proposal to have a better chance of earning MNO votes.

When you improve your proposal, please color all new material in red and don’t delete any word/sentence, but use strike through. This will make it easier for the evaluator to find changes, when she or he re-evaluates your improved proposal. The MNO’s will also so be interested to see what you changed to improve your proposal.

Since you were unlucky enough to submit your Pre-Proposal just as the PEC started, you had a handicap: You did not know the importance of the Dash Project Proposal Template https://goo.gl/m0jgfS . This Template was created some years ago by the MNO’s to get all the information that they need to make an informed decision. It is also the easiest way for you to earn extra marks. If your proposal did not cover a question in the Template – just put the Heading and answer in your detail doc. If your proposal does cover the question: Just put the Heading with the words: See original Proposal.
E.g.: Project Scope - Milestones and Schedule: See original Proposal.

We know this is a painful bureaucratic exercise, but once you’ve done your improvements for this 1st one, the next couple of improvements (maybe just one?) will be easy, and of course – you are bound to have more proposals in the future!

Good luck!

170623 jimbursch Team1 R1.jpg
 
Last edited:
  • Like
Reactions: tagawa

jimbursch

Well-known Member
Mar 5, 2017
837
501
163
57
Thanks @Tallyho for your evaluation.

Re: costed breakdown -- The breakdown is subject to negotiation with BugCrowd, and I am not in position to make a final agreement until the proposal is funded. This is further complicated by the instability of Dash/USD price, which can swing radically in either direction over the 3-month payout period. I understand the need for transparency, but we also need flexibility to negotiate the best deal for Dash. My goal is to limit the BugCrowd management fee to 40% and the DashBudgetWatch fee to 5%, with the remainder to fund the bounties, but there are many variables that need to be factored. For example, the scope of the program may need to change with the launch of Evolution. All this requires flexibility.

Re: communication with Core Team -- details will be worked out as we ramp up the program, but you should know that I am in direct communication with Andy Freer, Core Team CTO and he has pledged cooperation and support if the proposal is passed. The BugCrowd platform will be able to integrate with the Jira issue tracking system used by the Core Team.

I hope this will pick up a few more points for the proposal!
 

Tallyho

Member
Mar 15, 2015
124
68
78
Thanks for explaining. This is a lot of money though and, particularly given the nature of this proposal where you are to be trusted not only with the funds but with potentially critical vulnerability data, we feel it's very important to demonstrate your commitment to transparency and integrity of information before we can recommend this proposal.

I must ask you to please update your proposal and the first post in this thread with the following:

  • your own addendum of 2017/06/21 stating what will happen to leftover funds;
  • correct or explain the wording "best funded bug bounty program" because this does not equate to being the bounty program with the highest incentives;
  • the actual cost breakdown, including your fees, Bugbounty's fees and the value of the bounty offered (everybody here is familiar with the risks related to Dash/USD price fluctuations);
  • how the integrity of bug reports will be protected between Bugcrowd issuing them and Core developers receiving them. In other words, why the network should trust YOU to handle this, any potential risks you have anticipated in your handling of the data and steps you will take to mitigate those risks.

When you improve your proposal, please colour all new material in red and don’t delete any word/sentence, but use strike through. This will make it easier for the us to find changes when we re-evaluate your improved proposal.

Thank you.
 

IronVape

Member
Masternode Owner/Operator
Mar 26, 2016
117
75
78
This is less than we pay for our "Air Force".
I know "marketing" is our big buzz word this month, but let's try to keep our priorities in line.
Killing bugs is way more important!
 
  • Like
Reactions: joemoraca

jimbursch

Well-known Member
Mar 5, 2017
837
501
163
57
Hi @Tallyho

I've added the following to the proposal to address your concern about communication with Core:

Added 2017/06/26 -- In response to a concern raised by the PEC, DashBudgetWatch and Jim Bursch will not be acting as an information escrow. The Core Team will have direct access to the BugCrowd platform and it is our goal to integrate BugCrowd with the Jira issue-tracking system utilized by the Core Team.
If this adequately addresses your concern, will you make the appropriate adjustment to the PEC rating?
 

Tallyho

Member
Mar 15, 2015
124
68
78
Thank you Jim, we shall take this into account and post a revised report shortly. Are you able to elaborate on any of our other points?
 

jimbursch

Well-known Member
Mar 5, 2017
837
501
163
57
@Tallyho

Re: Cost breakdown -- I cannot post a detailed cost breakdown because a final agreement with BugCrowd has not been negotiated. However, if it will help, I am willing to share with you *privately* the quote that I received from BugCrowd, on the condition that it remain confidential. I will also share with you my negotiating goals and additional details that are factors in the final negotiation.

We are getting very close to the voting deadline for this proposal, so I would appreciate expediency in these matters.
 

Tallyho

Member
Mar 15, 2015
124
68
78
Hi Jim,

It's really the MNOs that should have the opportunity to assess the costs, but in the interests of finalising your PEC report as quickly as possible, if you let me know the quote from Bugcrowd and any other details you think will help, I guarantee to treat it with the highest level of confidentiality. I can give you an email address if you prefer.
 

Tallyho

Member
Mar 15, 2015
124
68
78
I don't seem to be able to start a conversation with you. Please email me at **removed**
 
Last edited:

Tallyho

Member
Mar 15, 2015
124
68
78
Proposal Evaluation Committee


I have reviewed the details that Jim kindly provided me with, and consequently have asked him to make explicit some details that I believe the MNOs not only have a right to know but need to know in order to make an informed decision on how to vote. When Jim responds I will post my revised PEC report, hopefully later on today.