Welcome to the Dash Forum!

Please sign up to discuss the most innovative cryptocurrency!

Pre-Proposal: Dash Bug Bounty Program by BugCrowd

Discussion in 'Pre + Budget Proposal Discussions' started by jimbursch, Jun 12, 2017.

  1. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    <EDIT> This proposal has been submitted:
    https://www.dashcentral.org/p/Dash-Bug-Bounty-Program-by-BugCrowd

    Manually vote on this proposal (DashCore - Tools - Debugconsole):
    gobject vote-many 76bd96f8c83b16ef06c4cf2527501d97f7c34762ad0fd2e47cedcd754f193522 funding yes

    The amount of the proposal has been changed from pre-proposal to proposal due to USD exchange rate change.
    </EDIT>


    Pre-Proposal: Dash Bug Bounty Program by BugCrowd


    Dash can and should have the best funded bug bounty program of all crypto currencies. With a robust bug bounty program, Dash can rightly make the following claims:

    • Dash code is the most secure because we offer the highest bounties to skilled developers to review infrastructure code.
    • Dash is the safest because hackers (white/gray/black) are incentivized to disclose hacks in a manner that is safe and discrete, instead of exploiting or selling hacks.

    BugCrowd (https://bugcrowd.com) is the leader in crowdsourced security testing and will connect Dash to a crowd of tens of thousands of security researchers to identify critical software vulnerabilities. With a fully-managed program, Dash can harness the expertise of BugCrowd to manage the Dash bounty program in the safest, most secure and efficient manner.

    3 monthly 300-Dash payments (900 Dash total)

    This is a proposal for 900 Dash in 3 monthly payments (300 Dash/month $54k at $180 USD/Dash) to establish a fully-managed bug bounty program with BugCrowd for one year, which will be in place through the launch of Evolution.





    DashBudgetWatch will manage the relationship with BugCrowd over the course of the year on behalf of Dash. Jim Bursch (@jimbursch), the director of DashBudgetWatch, will coordinate the bug bounty program with the Core Team to ensure that any vulnerabilities are safely reported and addressed.

    This proposal includes the following items:

    • BugCrowd management fee for 5 Dash applications for 1 year
    • Reward pool (bounties fund)
    • BugCrowd Crowdcontrol Platform (triage, researcher matching, validation, payout)
    • DashBudgetWatch management fee (includes proposal fee)
    • Prudent reserve (funds set aside to mitigate Dash/USD exchange risk)

    BugCrowd and DashBudgetWatch will issue detailed monthly reports of program activity. Where necessary, private reports will be given to the Core Team about any critical vulnerabilities that may be discovered.

    About BugCrowd

    Philip Da Silva is the representative from BugCrowd who is handling the Dash account. He will be available on this forum to answer any questions about BugCrowd.

    About DashBudgetWatch

    DashBudgetWatch (https://fundchan.com/dashbudgetwatch) is a project of @jimbursch, who has been an active member of the Dash community for several months. He founded the Los Angeles Dash Users Group and developed the Simple Dash Invoice (https://github.com/jimbursch/simple-dash-invoice). He is also the founder/developer of FundChan.com: funded channel messaging, which is denominated exclusively in Dash.

    Addendum

    Added 2017/06/21 -- Any unused funds left over after 1 year will be rolled into an extension of the program, possibly for another year, or barring extension of the program, will be donated to an appropriate outlet selected by the Dash community.

    Added 2017/06/21 -- It will be made clear to BugCrowd that testing of exploits on the mainnet is prohibited by this program.

    Added 2017/06/26 -- In response to a concern raised by the PEC, DashBudgetWatch and Jim Bursch will not be acting as an information escrow. The Core Team will have direct access to the BugCrowd platform and it is our goal to integrate BugCrowd with the Jira issue-tracking system utilized by the Core Team.
     
    #1 jimbursch, Jun 12, 2017
    Last edited: Jun 26, 2017
    • Like Like x 1
  2. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    I have corresponded with both Ryan Taylor and Andy Freer of the Core Team and they have expressed support for a Dash bug bounty program and will cooperate with the program to address any vulnerabilities or bugs that are discovered.
     
    • Like Like x 1
  3. AndyDark

    AndyDark Well-known Member

    Joined:
    Sep 10, 2014
    Messages:
    347
    Likes Received:
    691
    Trophy Points:
    163
    Hi there,

    I can confirm that i've corresponded with Jim. Without commenting on the specifics of this particular proposal, the Core devs believe incentivizing finding of bugs will result in fixing more bugs and get more devs involved, and we're happy to cooperate with any bug-bounty program in which the details are well specified regarding determining whether a bug is valid, severity of bug, and on what metric payouts would be made, and responsible disclosure is followed.

    Best,
    Andy Freer
     
    • Like Like x 1
    • Informative Informative x 1
  4. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    Thanks @AndyDark!

    I'm going to have the BugCrowd reps address specifics of the program since they have much greater expertise than I. As you can see from the videos, they have a phenomenal platform and by utilizing their fully-managed program, we are able to tap in to their depth of experience.
     
    • Like Like x 1
    • Informative Informative x 1
  5. Philip da silva

    Philip da silva New Member

    Joined:
    Jun 12, 2017
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    3
    Hi,

    My name is Philip Da Silva and I cover the Dash account. I'm happy to discuss Dash Bug Bounty Program in more details.

    Before launching the program Bugcrowd will work with the Dash team on creating the Program Brief- Program Guidelines for the security researchers to follow. For examples, check out the Bugcrowd website "programs" page some public examples.

    Bugcrowd’s Technical Operations Team (in-house Application Security Engineers) will handle all bug Triage and Validation. Any time a researcher submits a bug in the Dash Program, our Tech Ops team will take a look at the bug, make sure it’s valid, in scope, applicable, not a duplicate, assign a priority rating from P1 - P5 based on impact score, and the steps taken to reproduce the bug. Once our Tech Ops team has done their due diligence, we will send the bug to the Dash Development Team for confirmation and remediation.

    Bugcrowd will provide Dash with our Vulnerability Rating Taxonomy which is a guideline for the researchers and Dash to follow on how to Prioritize Bugs based on Severity. I've attached our VRT for reference. Again, the VRT is a guideline that we provide our customers, but Dash has the ultimate authority to determine what you consider a P1 (business critical vulnerability) to a P5 (information bug).

    Bugcrowd will also provide Dash with the Defensive Vulnerability Pricing Model which is another useful guideline for Dash to follow on Market Rate Prices for bugs.

    Bugcrowd’s Customer Success Team will consult with Dash prior to launching the program to determine all program information for the researchers to follow. All this information will be included in the Dash Program Brief so the researchers have a guideline to follow when they begin to participate in the Dash Program.

    The Dash Program will begin in Private, meaning it will not be advertised on the Bugcrowd website. Since the Dash Program will begin in Private, only security researchers from Bugcrowd’s Elite Private Tier will be invited to participate in the Dash Program.

    Please let me know what other specific questions I can address!
     
    • Like Like x 1
  6. Philip da silva

    Philip da silva New Member

    Joined:
    Jun 12, 2017
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    3
    Attached please find the Bugcrowd Vulnerability Rating Taxonomy!
     

    Attached Files:

  7. tagawa

    tagawa New Member

    Joined:
    Jun 14, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Very good idea - I'm surprised it hasn't been proposed already.

    Quick question: Have other bounty platforms been considered such as Open Bug Bounty or HackerOne? I'm not saying it's a bad choice, just making sure all options have been looked into.
     
  8. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    I considered other platforms and looked closest at HackerOne and BugCrowd, and settled on BugCrowd because they were so responsive to my needs. As you can imagine, we are breaking new ground here and we need to work with a leading company that can be flexible and creative in dealing with the business issues that arise.
     
  9. tagawa

    tagawa New Member

    Joined:
    Jun 14, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Good to hear. Thanks for the quick reply @jimbursch.
     
  10. TheSingleton

    TheSingleton Active Member
    Masternode Owner/Operator

    Joined:
    Mar 27, 2017
    Messages:
    274
    Likes Received:
    139
    Trophy Points:
    103
    The hight cost was a bit of a turn-off but I guess you shouldn't be cheap when it comes to security and reliability so overall a Yes from me.
     
  11. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    Depending on how you look at it, the high cost is also a feature, supporting the claim that Dash will have the best-funded bug bounty program in all crypto currency.

    The biggest variable in the cost is the fund for bounties. If we don't find vulnerabilities, we save money, but if we do find vulnerabilities and get them fixed, we will be very glad we had the funds.
     
  12. martinf

    martinf Member

    Joined:
    Aug 21, 2015
    Messages:
    70
    Likes Received:
    38
    Trophy Points:
    58
    Thanks for putting together this pre-proposal. It will get my vote for sure.
     
  13. tagawa

    tagawa New Member

    Joined:
    Jun 14, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    That raises a good question about what would happen in the case of unused bounty. Would it be returned, earmarked for future use, or some other plan?

    Sorry for so many questions but I figure they're likely to come up at the proposal stage anyway.
     
  14. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    If at the end of a year of the program we have unused funds we will have several options. The most likely is that we will use the funds to continue the program. Dash development will continue, and so will the need for the bounty program to help maintain the security and safety of Dash.
     
    • Agree Agree x 1
  15. tagawa

    tagawa New Member

    Joined:
    Jun 14, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Makes sense - thank you.
     
  16. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    • Like Like x 1
  17. AndyDark

    AndyDark Well-known Member

    Joined:
    Sep 10, 2014
    Messages:
    347
    Likes Received:
    691
    Trophy Points:
    163
    Hi There

    Just to confirm that i've chatted with Jim and the core devs about this proposal and in it's current form on DashCentral the core devs are happy to collaborate as needed with the proposal if the network approves it.

    Cheers
    Andy
     
    #17 AndyDark, Jun 21, 2017
    Last edited: Jun 21, 2017
  18. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
  19. Tallyho

    Tallyho Member

    Joined:
    Mar 15, 2015
    Messages:
    125
    Likes Received:
    68
    Trophy Points:
    78
    Proposal Evaluation Committee

    Edit: An updated report was posted on 27th June. Please see here for the latest PEC report https://www.dash.org/forum/threads/...-program-by-bugcrowd.15321/page-2#post-131211

    Hi jimbursch,

    Here is your first PEC Report.

    Couple of notes:
    • There is NO pass/failure mark. The percentage simply allows us to create a Prioritized List of Evaluated Proposals. The idea being that a MNO with very little time can concentrate on Proposals at the bottom of the list only. MNO’s with more time will obviously look at all proposals as per normal.
    • The evaluation also enables the Evaluators to look for scammers etc and red-flag a proposal that is a possible danger to Dash. They have more time and tools to look for the tell-tale signs.
    • How did the Evaluators decide on marks: PEC Evaluator Guidelines https://goo.gl/Futw1d
    • MNO’s have been very lenient in the past. So even if you have, what you might consider a low mark, you might still pass the Vote ;)
    Most Important: The evaluation is to give you an idea of where you can improve your proposal to have a better chance of earning MNO votes.

    When you improve your proposal, please color all new material in red and don’t delete any word/sentence, but use strike through. This will make it easier for the evaluator to find changes, when she or he re-evaluates your improved proposal. The MNO’s will also so be interested to see what you changed to improve your proposal.

    Since you were unlucky enough to submit your Pre-Proposal just as the PEC started, you had a handicap: You did not know the importance of the Dash Project Proposal Template https://goo.gl/m0jgfS . This Template was created some years ago by the MNO’s to get all the information that they need to make an informed decision. It is also the easiest way for you to earn extra marks. If your proposal did not cover a question in the Template – just put the Heading and answer in your detail doc. If your proposal does cover the question: Just put the Heading with the words: See original Proposal.
    E.g.: Project Scope - Milestones and Schedule: See original Proposal.

    We know this is a painful bureaucratic exercise, but once you’ve done your improvements for this 1st one, the next couple of improvements (maybe just one?) will be easy, and of course – you are bound to have more proposals in the future!

    Good luck!

    170623 jimbursch Team1 R1.jpg
     
    #19 Tallyho, Jun 23, 2017
    Last edited: Jun 27, 2017
    • Like Like x 1
  20. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    Thanks @Tallyho for your evaluation.

    Re: costed breakdown -- The breakdown is subject to negotiation with BugCrowd, and I am not in position to make a final agreement until the proposal is funded. This is further complicated by the instability of Dash/USD price, which can swing radically in either direction over the 3-month payout period. I understand the need for transparency, but we also need flexibility to negotiate the best deal for Dash. My goal is to limit the BugCrowd management fee to 40% and the DashBudgetWatch fee to 5%, with the remainder to fund the bounties, but there are many variables that need to be factored. For example, the scope of the program may need to change with the launch of Evolution. All this requires flexibility.

    Re: communication with Core Team -- details will be worked out as we ramp up the program, but you should know that I am in direct communication with Andy Freer, Core Team CTO and he has pledged cooperation and support if the proposal is passed. The BugCrowd platform will be able to integrate with the Jira issue tracking system used by the Core Team.

    I hope this will pick up a few more points for the proposal!
     
    • Informative Informative x 1
  21. Tallyho

    Tallyho Member

    Joined:
    Mar 15, 2015
    Messages:
    125
    Likes Received:
    68
    Trophy Points:
    78
    Thanks for explaining. This is a lot of money though and, particularly given the nature of this proposal where you are to be trusted not only with the funds but with potentially critical vulnerability data, we feel it's very important to demonstrate your commitment to transparency and integrity of information before we can recommend this proposal.

    I must ask you to please update your proposal and the first post in this thread with the following:

    • your own addendum of 2017/06/21 stating what will happen to leftover funds;
    • correct or explain the wording "best funded bug bounty program" because this does not equate to being the bounty program with the highest incentives;
    • the actual cost breakdown, including your fees, Bugbounty's fees and the value of the bounty offered (everybody here is familiar with the risks related to Dash/USD price fluctuations);
    • how the integrity of bug reports will be protected between Bugcrowd issuing them and Core developers receiving them. In other words, why the network should trust YOU to handle this, any potential risks you have anticipated in your handling of the data and steps you will take to mitigate those risks.

    When you improve your proposal, please colour all new material in red and don’t delete any word/sentence, but use strike through. This will make it easier for the us to find changes when we re-evaluate your improved proposal.

    Thank you.
     
  22. IronVape

    IronVape Member
    Masternode Owner/Operator

    Joined:
    Mar 26, 2016
    Messages:
    117
    Likes Received:
    75
    Trophy Points:
    78
    This is less than we pay for our "Air Force".
    I know "marketing" is our big buzz word this month, but let's try to keep our priorities in line.
    Killing bugs is way more important!
     
    • Agree Agree x 2
    • Like Like x 1
  23. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    Hi @Tallyho

    I've added the following to the proposal to address your concern about communication with Core:

    If this adequately addresses your concern, will you make the appropriate adjustment to the PEC rating?
     
  24. Tallyho

    Tallyho Member

    Joined:
    Mar 15, 2015
    Messages:
    125
    Likes Received:
    68
    Trophy Points:
    78
    Thank you Jim, we shall take this into account and post a revised report shortly. Are you able to elaborate on any of our other points?
     
  25. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    @Tallyho

    Re: Cost breakdown -- I cannot post a detailed cost breakdown because a final agreement with BugCrowd has not been negotiated. However, if it will help, I am willing to share with you *privately* the quote that I received from BugCrowd, on the condition that it remain confidential. I will also share with you my negotiating goals and additional details that are factors in the final negotiation.

    We are getting very close to the voting deadline for this proposal, so I would appreciate expediency in these matters.
     
  26. Tallyho

    Tallyho Member

    Joined:
    Mar 15, 2015
    Messages:
    125
    Likes Received:
    68
    Trophy Points:
    78
    Hi Jim,

    It's really the MNOs that should have the opportunity to assess the costs, but in the interests of finalising your PEC report as quickly as possible, if you let me know the quote from Bugcrowd and any other details you think will help, I guarantee to treat it with the highest level of confidentiality. I can give you an email address if you prefer.
     
  27. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    824
    Likes Received:
    487
    Trophy Points:
    133
    Email would be fine, thank you.
     
  28. Tallyho

    Tallyho Member

    Joined:
    Mar 15, 2015
    Messages:
    125
    Likes Received:
    68
    Trophy Points:
    78
    I don't seem to be able to start a conversation with you. Please email me at **removed**
     
    #28 Tallyho, Jun 26, 2017
    Last edited: Jun 27, 2017
  29. CaptAhab

    CaptAhab Member

    Joined:
    Mar 25, 2015
    Messages:
    102
    Likes Received:
    57
    Trophy Points:
    78
    Dash Address:
    XwUeFiUQz1qLurzcpzKBDUTPvj1Tzx3FYs
    This seems an excellent idea.
     
  30. Tallyho

    Tallyho Member

    Joined:
    Mar 15, 2015
    Messages:
    125
    Likes Received:
    68
    Trophy Points:
    78
    Proposal Evaluation Committee


    I have reviewed the details that Jim kindly provided me with, and consequently have asked him to make explicit some details that I believe the MNOs not only have a right to know but need to know in order to make an informed decision on how to vote. When Jim responds I will post my revised PEC report, hopefully later on today.
     

Share This Page