• Forum has been upgraded, all links, images, etc are as they were. Please see Official Announcements for more information

Pre-proposal: Dash Bug Bounty program

jimbursch

Well-known member
EDIT: This pre-proposal is canceled. Please disregard.

Dash can and should have the best funded bug bounty program of all cryptocurrencies.

I propose creating a 1,000 Dash (~$100,000 USD) war chest out of which will be paid bounties and administrative costs of the Dash Bug Bounty program.

With a robust bug bounty program, Dash can rightly make the following claims:
  • Dash code is the most secure because we offer the highest bounties to skilled developers to review infrastructure code.
  • Dash is the safest because hackers (white/gray/black) are incentivized to disclose hacks in a manner that is safe and discrete, instead of exploiting or selling hacks.
This program will be modeled on the Ethereum Bounty Program (https://bounty.ethereum.org/).

In order to manage the program responsibly and securely, a seven-person advisory board of established and respected community members will appoint a three-person executive team that will manage the program and control the 2of3 multisig wallet that will hold the program funds.

I would like to establish the advisory board before submitting the proposal for funding. Please contact me if you are interested or would like to recommend someone.

About me

I am relatively new to the Dash community, but I have been active since joining in March (first purchased at $50/Dash).

I am a php/mysql developer, and I have built a simple dash invoicing app (https://github.com/jimbursch/simple-dash-invoice) just to get familiar with developing for Dash. My main project is FundChan: funded channel messaging (https://fundchan.com) which I recently denominated in Dash.

Also, here in Los Angeles, I am organizing a Dash Users Group:
https://www.dash.org/forum/threads/los-angeles-dash-cryptocurrency-users.14831/
 
Last edited:
Great idea. Bounty rewards should exclude dash developers to prevent bad incentives. Got my vote


Sent from my iPhone using Tapatalk
 
I will be setting up the bounty program on the HackerOne platform:
https://www.hackerone.com/

I'm pretty sure the Ethereum bounty program is also on the HackerOne platform, but not 100% certain. Other organizations in the cryptocurrency space that use HackerOne are:

Blockchain: https://hackerone.com/blockchain
Bitcoin.de: https://hackerone.com/bitcoin_de
Brave Software: https://hackerone.com/brave
Coinbase: https://hackerone.com/coinbase
CoinJar: https://hackerone.com/coinjar
Coinkite: https://hackerone.com/coinkite
itBit: https://hackerone.com/itbit
Kraken: https://hackerone.com/krakenfx
Ripple: https://hackerone.com/ripple
 
Sounds like a good idea, prevention is usually the cheapest approach to problems. Are there examples as to size of rewards that are offered and does it relate to the complexity of how it is found? It also brings to mind the problem of different backdoor entries that have been embedded in some equipment including hard drives, CPUs, operating programs, cell phones, etc.

Is there also a way for the Dash core developers to check known possibilities that can compromise systems or have a reliable list of possible problem areas? With the recent alleged hack of NSA and CIA tools this certainly becomes very important. Cryptos can very well be under attack as the rise in acceptance will start to threaten certain establishment special interests and revenue streams.
 
The following comes from the Ethereum bounty program; we will be doing the same:

The value of rewards paid out will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood

Yesterday I spoke with a rep from HackerOne. He will be getting back to me with details about their managed programs, which I will be passing along. This proposal will changed based on what I learn.

$10,000 seems to be the going rate for extreme impact/likelihood vulnerabilities. I will be proposing a program that is comparable to the Coinbase bounty program, which is considered one of the best programs (or at least best paying).

https://www.coinbase.com/whitehat?locale=en-US
 
Last edited:
Great proposal. Bump that up to 50k for extreme!


Sent from my iPhone using Tapatalk
 
Proposal Evaluation Committee

Hi Jim

Just want to find out if you are planning to submit your proposal officially, i.e. Pay the 5 Dash to submit it?
If so, do you agree to the PEC (Proposal Evaluation Committee) assisting you in preparing your Pre-Proposal?

The way we do it is to give a Report on your Proposal highlighting areas that you can improve.
As you improve the Proposal the Report is adjusted and this may be done a number of times (up to 5 or more), each time the chance of your Proposal being accepted by the MNO’s will increase.

The Report also has another function:
To give the Pre-Proposal a percentage mark. This percentage will make it possible to give the MNO’s and community a prioritized List of Evaluated Proposals. This list will save everyone time and increase the chance of your Proposal gaining votes.

However, please be aware that the PEC has not officially been accepted by the MNO’s. We are also in the Pre-Proposal phase, so you have no obligation to partake.
If you want to know who will be doing the Evaluations – see here: Official PEC Pre-P https://goo.gl/qrbeXK

If you do want to use our services (note this is a free service)
1. Please PM me on the Dash Pre + Budget Proposal Discussions Forum indicating agreement.
2. and if you have not done this yet, please read: How to submit a Dash Pre-Proposal https://goo.gl/7jmwXQ
3. Once you have read it you might want to adjust your Pre-Proposal before we submit the 1st Report, so I will wait for you to give us the go-ahead before we start the evaluation process.

If you don’t want the PEC to evaluate the Proposal – please PM me as well, then I won’t bug you again for an answer ;)

Good luck with your Proposal!
 
Hi @Biltong

Yes I do plan on submitting a proposal officially and Yes I would welcome the assistance of the PEC.

I will alert you when I have a first draft the of the proposal. I am currently in discussions with HackerOne and BugCrowd about a managed bug bounty program that will probably have a 12 month duration. There are still many details that need to be worked out before I can craft a proper proposal.
 
Back
Top