Proposal “Dash-Bug-Bounty-Program-by-BugCrowd“ (Completed)Back

Title:Dash Bug Bounty Program by BugCrowd
Owner:jimbursch
Monthly amount: 330 DASH (157704 USD)
Completed payments: 3 totaling in 990 DASH (0 month remaining)
Payment start/end: 2017-06-19 / 2017-09-17 (added on 2017-06-20)
Votes: 977 Yes / 126 No / 45 Abstain

Proposal description

Dash Bug Bounty Program by BugCrowd

Pre-proposal discussion: https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/

Dash can and should have the best funded bug bounty program of all crypto currencies. With a robust bug bounty program, Dash can rightly make the following claims:

  • Dash code is the most secure because we offer the highest bounties to skilled developers to review infrastructure code.       
  • Dash is the safest because hackers (white/gray/black) are incentivized to disclose hacks in a manner that is safe and discrete, instead of exploiting or selling hacks.
BugCrowd (https://bugcrowd.com) is the leader in crowdsourced security testing and will connect Dash to a crowd of tens of thousands of security researchers to identify critical software vulnerabilities. With a fully-managed program, Dash can harness the expertise of BugCrowd to manage the Dash bounty program in the safest, most secure and efficient manner.

    3 monthly 330-Dash payments (990 Dash total)

This is a proposal for 990 Dash in 3 monthly payments (330 Dash/month $49.5k at $150 USD/Dash[1]) to establish a fully-managed bug bounty program with BugCrowd for one year, which will be in place through the launch of Evolution.

DashBudgetWatch will manage the relationship with BugCrowd over the course of the year on behalf of Dash. Jim Bursch (@jimbursch), the director of DashBudgetWatch, will coordinate the bug bounty program with the Core Team to ensure that any vulnerabilities are safely reported and addressed.

This proposal includes the following items:

  • BugCrowd management fee for 5 Dash applications for 1 year
  • Reward pool (bounties fund)
  • BugCrowd Crowdcontrol Platform (triage, researcher matching, validation, payout)
  • DashBudgetWatch management fee (includes proposal fee)
  • Prudent reserve (funds set aside to mitigate Dash/USD exchange risk)
BugCrowd and DashBudgetWatch will issue detailed monthly reports of program activity. Where necessary, private reports will be given to the Core Team about any critical vulnerabilities that may be discovered.

About BugCrowd

Philip Da Silva is the representative from BugCrowd who is handling the Dash account. He will be available on this forum to answer any questions about BugCrowd.

About DashBudgetWatch

DashBudgetWatch (https://fundchan.com/dashbudgetwatch) is a project of @jimbursch, who has been an active member of the Dash community for several months. He founded the Los Angeles Dash Users Group and developed the Simple Dash Invoice (https://github.com/jimbursch/simple-dash-invoice). He is also the founder/developer of FundChan.com: funded channel messaging, which is denominated exclusively in Dash.
     
Notes:

1. USD/Dash price based on rounded 30-day moving average at the time if this writing.

Addendum

Added 2017/06/21 -- Any unused funds left over after 1 year will be rolled into an extension of the program, possibly for another year, or barring extension of the program, will be donated to an appropriate outlet selected by the Dash community.

Added 2017/06/21 -- It will be made clear to BugCrowd that testing of exploits on the mainnet is prohibited by this program.

Added 2017/06/26 -- In response to a concern raised by the PEC, DashBudgetWatch and Jim Bursch will not be acting as an information escrow. The Core Team will have direct access to the BugCrowd platform and it is our goal to integrate BugCrowd with the Jira issue-tracking system utilized by the Core Team.

Show full description ...

Discussion: Should we fund this proposal?

Submit comment
 
1 point,4 months ago
SOOOOOO MANY BUGSSS TO FIND!!!!
Reply
-4 points,4 months ago
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
No I do not think that Dash has any bugs. I have never found to have encounterred any of them.
Reply
-5 points,4 months ago
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
These dots are a bug. How can I get some bounty fund money Dash for these dots problem?
Reply
1 point,4 months ago
The evaluators of this proposal has contacted me with information that I think the MNO's should take into account with some urgency.
They write: "We have revised our report in accordance with the new information. It is with deep regret that we feel it necessary to flag up certain issues on what is clearly a popular proposal, but since the mission of PEC is primarily to protect Dash we feel it is necessary to remind MNOs that they are not in possession of all the details pertinent to this proposal."
Please look at the report here:
https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/
Reply
4 points,4 months ago
I have replied:

This is unfortunate.

I shared with @Tallyho a copy of the quote that was provided to me by BugCrowd, upon which I based my estimates for the budget proposal. The content of that quote is subject to a non-disclosure agreement that BugCrowd required me to sign. This is not unusual or nefarious. It is a standard business practice to enable parties to engage in negotiation involving sensitive information such as pricing and discounts.

I believe @Tallyho's main concern is the trade-offs that have to be made between defining the scope of the program and the size of the bounty pool.

Here is what I wrote to @Tallyho, with figures redacted because they are covered under the non-disclosure agreement with BugCrowd:

"When I started working on this project I envisioned a $100,000 bug bounty fund that would be trumpeted from the mountaintops. After researching top tier bug bounty programs, I quickly learned that the amount of the bounty fund is the least important factor. What's important is a relationship with thousands of hackers, hundreds of fully vetted expert researchers, a tested methodology for assigning priority and value to vulnerabilities, and systems in place to accomplish all of that efficiently, securely, and safely. I would be glad to put you in touch directly with the BugCrowd rep to explain in detail what their system entails.

"To be clear, <redacted> is what BugCrowd stated in their quote and is NOT what I have allocated for the bounty pool. As I have stated repeatedly, all these amounts are subject to negotiation, wherein I will be working to get the best deal for Dash.

"Perhaps it would help if I gave you some scenarios with specific numbers. For these scenarios I will not set aside a reserve to deal with USD/Dash price fluctuation. Instead, those funds will be included in the bounty fund and any price fluctuation will be absorbed there."

I then presented figures for 4 scenarios of exactly how the funding could be allocated, which included a scenario in which over $100,000 is allocated for the bounty fund, but only one application could be included in the scope of the program.

I concluded my email with @Tallyho with the following:

"I am of the opinion that it is better for Dash to cover as many important applications as possible in the program and keep the bounty pool to a viable minimum. I also think it is unnecessary to ask the MNOs for more funding to increase the amount of the bounty pool.

"My negotiating position with BugCrowd is that we should receive substantial discounts because we are paying in cash up front for a 12-month program, and those discounts will be applied for additional applications to be included in the program".

If anyone would like to see the numbers, I will be happy to share them privately and confidentially, subject to the terms of the non-disclosure agreement that I am bound to uphold.
Reply
0 points,4 months ago
Can you please link to the post in question and not just the whole thread.
Reply
0 points,4 months ago
My reply is posted here:
https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/page-2#post-131214
Reply
0 points,4 months ago
Thanks didn't mean you. I am just getting annoyed by Biltong always linking to the thread making it very annoying to find the reports. And there being no single place that you can easily look at them all. Well at this point ill probably just ignore them.

You had my vote before and that's not going to change :)
Reply
1 point,4 months ago
I was not sure about this for the price but with all the unused Dash/money being left on the table this month it gets my votes.
Reply
0 points,4 months ago
Thanks Mastermined!
Reply
4 points,4 months ago
We will focus the bug bounty program on these Evolution applications as they become available for review, in coordination with Core, of course:

Dash Network — Software Applications

CORE DAEMON : This is the main daemon that that does much of the work of the network. It relays blocks, validates blocks and transactions and ultimately is responsible for maintaining the blockchain ledger.

DAPI : This is the third-tier interface, allowing our edge users to maintain a connection to the network and access services from a distance without having to download and validate large amounts of data themselves

DASHDRIVE : This is where we store user object information in a decentralized and secure way on the network. Only those with proper permissions can update various pieces of data.

ADAPI : We utilize onion-type routing to securely and anonymously access services of DAPI, allowing users to maintain privacy if needed. This is automatically used for our new implementation of ”Privacy,” a cutting edge, improved version of PrivateSend.

https://www.dash.org/forum/threads/hong-kong-dash-research-and-planning-by-evan-duffield.15492/
Reply
4 points,4 months ago
This is one of the most important proposals of all , imagine a hacker discovering a bug in dash dao and drains all 6000 dash for a given month or so on , the impact of that would be catastrophic , we should have a healthy security focused approach and this bug bounty is wonderful step on that

Just to be clear , even the googles and facebooks have bug bounties and they do find some serious bugs which their dev teams miss

in short please vote a BIG YES
Reply
1 point,4 months ago
Completely agree with you on this. It is needed. We do not want bug like ETH did leading to a hard fork.

This is absolutely needed in any tech development at this stage of the game.
Reply
2 points,4 months ago
For that amount of money we could stick another bumper sticker on another really fast airplane. /s.

This is a clear YES for me.
Reply
0 points,4 months ago
Is this going to be applied exclusively to the Core developers source code?
What about others developing for example wallet software, POS systems, ATM software, etc?
Do you actually need the Core developers' consent to start bug hunting https://github.com/dashpay?
Reply
1 point,4 months ago
The plan is to start with 5 Core applications, and add additional applications as the budget allows. I suppose technically one doesn't need consent to review open source code, but practically and professionally the program will coordinate with the developer teams, including getting their consent to be included in the program.
Reply
2 points,5 months ago
BugCrowd could organize receipt of these bugs, but there'd still need to be someone in Dev willing to read through them, and manage the process for them to be fixed. If there weren't, this would be money down the drain. (5% to Jim Bursch, 40%+ to BugCrowd, ?% in actual paid bounties)

Let me conduct a test: Core - in the process of developing DashTreasury.org and creating automation tools for Amanda's #firstdashwallet campaign, we discovered at least one bug. Is there someone in particular we should submit this information to?
Reply
0 points,5 months ago
The BugCrowd platform will be able to integrate with the Jira issue-tracking system that Core Team is implementing, so bugs should be able to be addressed in the Core Team's normal work flow.

I suggest reporting your bug directly to Andy Freer -- andy@dash.org.
Reply
0 points,5 months ago
If Andy Freer or Ryan Taylor logged into this site and actively said they wanted this solution, I'd change my votes to yes.
Reply
2 points,5 months ago
Quoting Andy Freer: "... the core devs are happy to collaborate as needed with the proposal if the network approves it."

https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/#post-130577

If that isn't good enough, I have to respect your decision, but it means that we will not have a bug bounty program in place for the launch of Evolution. We won't be able to claim the safety and security that is provided by a well-funded bug bounty program.

I will let Andy and Ryan know about your request, but they have been very supportive and I don't expect any more than what they have already expressed.
Reply
0 points,5 months ago
If only we had a designated person on the Core Team to answer legitimate and essential questions, this would be so much more time efficient for both sides....hint hint to Core....
Reply
1 point,5 months ago
Voting no for now, until someone who actually maintains the code asks for this.
Reply
1 point,5 months ago
This gets my Yes votes.
Reply
1 point,5 months ago
I think added bonus also is that we will have new people getting to know dash, even if the original attempt is for bughunting, I am certain a couple of highly skilled people will see how great of an coin dash really is.



----------------------- my legit check -----------------
https://bugcrowd.com legit
Andy Freer legit
Andy Freer makes jimbursch legit here https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/#post-130577

seems in order to me

yesses from me
Reply
1 point,5 months ago
Like the idea of a bug bounty, but I think it should be managed by core. Ethereum is doing this right https://bounty.ethereum.org/ would like to see a similar program for Dash.
Reply
1 point,5 months ago
One of the first things I will be asking of the Core Team is to point https://bounty.dash.org at our BugCrowd program page, which will be designed to fit with dash.org. I believe the Ethereum program is with HackerOne.
Reply
0 points,5 months ago
I think dash core should create a bugfix bounty. After all, they have to organise the fix process, and then there is the testing of the fix. IMO core should manage the process.
Reply
3 points,5 months ago
Which is better, a company-hired auditor, or an independent auditor?

The case can be made that it is better for someone outside of the Core Team to audit the Core Team code.

Either way, the Core Team will be fixing the bugs, and the bug bounty program will be working closely and cooperatively with the Core Team.
Reply
0 points,4 months ago
I agree. Mainly because at the moment money is easier to come by than Dash Core time. Paying you to do this is the easiest way to get the data, and reliability (and defence against hackers) is going to count for a lot.
Reply
6 points,5 months ago
A bug bounty is standard operating procedure for any sort of complex programming that is mission critical. A big juicy robust bug bounty gives us bragging rights and terrific stuff for marketing. Voting yes.
Reply
4 points,5 months ago
Andy Freer (aka @AndyDark), Core Team CTO just posted the following:

"Hi There

Just to confirm that i've chatted with Jim and the core devs about this proposal and in it's current form on DashCentral the core devs are happy to collaborate as needed with the proposal if the network approves it.

Cheers
Andy"

https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/#post-130577
Reply
2 points,5 months ago
And Jim is a well known commodity on the Dash.org forum.

solarguy2003
Reply
0 points,5 months ago
I do not vote on this before I see a comment from one of the core team
Reply
3 points,5 months ago
Andy Freer, CTO of the Core Team commented here:

https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/#post-130577
Reply
0 points,5 months ago
basically I think it this kind of task is probably necessary for DASH Evolution.

But I do not see a reason why a third party should initiate it for that amount of money ($60k/mnth).
Secondly I don't get why the proposal covers only three months but the bounty program would run one year.
Lastly I miss some transparency over the real costs distribution - especially how much goes to DashBudgetWatch and how much goes to BugCrowd.

Since DashBudgetWatch is another project of Jimbursch (proposal owner) it looks like he found a profitable way to fund his DashBudgetWatch project.
Reply
0 points,5 months ago
It is a 1-year program, paid in 3 payments. We get a better deal paying up front. Also reduces exchange rate risk. BugCrowd sets rates in USD, not Dash.

DashBudgetWatch portion is 5% for managing the program over the year. It takes time and work to manage the relationship with BugCrowd and coordinate with the Core Team.

Another reason for the 3-month payout is so that MNOs can assess progress as program ramps up.

Not sure if you are referring to me or BugCrowd when you say "third party."
Reply
3 points,5 months ago
Great Proposal , voting yes
Reply
3 points,5 months ago
> Dash can and should have the best funded bug bounty program of all crypto currencies.

This guys gets it. I have no idea if this is the best way to do a bug bounty program but it seems as good a shot as anything else going (I am not aware of anything else going) so voting yes.
Reply
2 points,5 months ago
I also added the following:

It will be made clear to BugCrowd that testing of exploits on the mainnet is prohibited by this program.
Reply
3 points,5 months ago
The proposed goal is very relevant and useful.
It focuses on a serious technical threat of misusing the mistakes in the software that implements and provides DASH by incentivising finding and removing the mistakes/bugs.
The proposal can only strengthen the very foundation of what are we all bickering about here.
Misuse of existing mistakes in DASH software may lead to serious or even fatal consequences, so evaluating this aspect/issue in dollars or dash is very hard.
Therefore arguments regarding the amount of funding are dubious.
Since the budget does not limit other proposals I would not attack the amount.
One year duration is a good starting period for a bug hunting program.
The aimed property of "crypto-currency with the best funded bug bounty program", which is stated in the proposal, even provides a potential for many of those talks and marketing efforts.
There is a very high probability BugCrowd will be willing (or even eager) to host a bug hunting program for DASH, because it does not require any new type of agreement, integration or development (it is just what they do already).
Why BugCrowd? I do not know, but the choice is BugCrowd or HackerOne.
Since companies usually decide to run their bounty on only one of these platforms at a time, most code researchers ultimately decide to check out both platforms as the best way to maximize their exposure to as many bounties as possible.
BugCrowd has cca 60k researchers and HackerOne a bit more (I think).

The weakness seems to be collaboration with developers of DASH related software packages, because they are be the actual users (customers) of the bug hunting.

This proposal should definitely get through, unless DASH software developers specify a reason why NOT.
In fact, while understanding those absenting their vote for this, I do not see any reason for voting against it.
Reply
1 point,5 months ago
Thank you jjk for this assessment.

I spoke to both BugCrowd and HackerOne and they both offered a comparable price and program. I selected BugCrowd because they were the most responsive and flexible, which is an important consideration since we are dealing with unprecedented accounting, contracting and legal issues related to Dash, a DAO and crypto currencies in general.

And just to reiterate, I am in communication with Andy Freer and we will be closely coordinating the bug bounty program with the dev team.
Reply
1 point,5 months ago
For those who would like a detailed description of how BugCrowd categorizes vulnerabilities, upon which the bounty amounts are set, see this document:

BugCrowd Vulnerability Rating Taxonomy
https://www.dash.org/forum/attachments/bugcrowd-vulnerability-rating-taxonomy-pdf.4215/
Reply
1 point,5 months ago
I have added the following addendum to the proposal:

Any unused funds left over after 1 year will be rolled into an extension of the program, possibly for another year, or barring extension of the program, will be donated to an appropriate outlet selected by the Dash community.
Reply
4 points,5 months ago
Any idea what portion goes into the bounty pool and what portion is fees paid to BugCrowd?

Thanks for putting the proposal together.
Reply
1 point,5 months ago
This is still subject to negotiation with BugCrowd and is dependent on where the USD/Dash price is at the time we finalized our agreement, but my goal is for the BugCrowd fee be no greater than 40%. With rising prices this will be easy to achieve; if there is a significant drop before we finalize, it will be more difficult.
Reply
0 points,5 months ago
I've no idea how to vote on this proposal and so will likely abstain unless some Dash programmer I already know of and trust weighs in on it -- along with someone budget-minded, as well. I have no idea who Jim Bursch is.
Reply
0 points,5 months ago
Hi n00bkid

I am most active in the Dash community on Dash Forum. I suggest asking around there about my reputation. @tungfa knows me through the forum.

Also, here is an article on Dash Force News that includes a video of me:

https://www.dashforcenews.com/dash-budget-watch-seeks-polish-treasury-proposal-process/
Reply
4 points,5 months ago
We will be closely coordinating the Bug Bounty program with the Core Team to ensure that any vulnerabilities that are found are safely and discretely reported and fixed. The following is quoted from our pre-proposal discussion:

Andy Freer:

"Hi there,

I can confirm that i've corresponded with Jim. Without commenting on the specifics of this particular proposal, the Core devs believe incentivizing finding of bugs will result in fixing more bugs and get more devs involved, and we're happy to cooperate with any bug-bounty program in which the details are well specified regarding determining whether a bug is valid, severity of bug, and on what metric payouts would be made, and responsible disclosure is followed.

Best,
Andy Freer"
Reply
1 point,5 months ago
Any suggestions from Core specifically about this particular proposal? Do THEY need it?
Reply
1 point,5 months ago
Every supposedly secure software development team needs this - that is without questioning.
( Plus I think that Andy Freer is very much from Core: https://www.dash.org/team/ )

But I agree that somebody from Core should express their opinions about why NOT this proposal.
Reply
1 point,5 months ago
Here are two videos describing the BugCrowd program:

https://youtu.be/O2CyHOsDVf8

https://youtu.be/CDzjI3avLZs
Reply
1 point,5 months ago
The videos help. Thanks for that.
Reply
1 point,5 months ago
Security is huge! I think this could be a good plan. But do you think we need to spend a full 60k a month on this?
Reply
1 point,5 months ago
It's not 60k/month for 12 months.

It's only 60k/month for 3 months, which will pay up front for the whole 12-month program.

Paying up front enables me to negotiate a better deal with BugCrowd and eliminate any concern on their part about USD/Dash exchange risk.
Reply
1 point,5 months ago
Ok got cha, yea I highly approve of this. We need a system that works. 1 bug like ETHs dao could serve as a huge fault to a coin. Security should always be number 1
Reply
0 points,5 months ago
This proposal is for a total of no less than $180,000. Can some one with knowledge assure that this large amount is justified? The theory has been the Core developers are methodically and slowly working so as not to rush faulty code to market. This seems like a very high sum.
Reply
1 point,5 months ago
Hi narroway -- I completely understand your concern about the relatively large amount. This is why I chose to break the payments up over 3 months. I am planning to have the program up and running in the first month, so that the MNOs will have something to see by the time the second payment is forthcoming.
Reply
0 points,5 months ago
How will the money be distributed if funded?
Reply
1 point,5 months ago
The final distribution among the listed items is still subject to negotiation with BugCrowd and depends on the final USD amount we end up with at the end of 3 months funding. Keep in mind this is a 12-month program, so allocation will be subject to change. Bulk of the funds will be between reserve and the bounty fund.
Reply
0 points,5 months ago
Assuming Dash value rises dramatically in that time frame, how then will mostly you reallocate the remaining funds?
Reply
0 points,5 months ago
All additional funds generated by a higher USD/Dash price will be allocated to the bounty fund. At the end of 12 months, I anticipate that we will continue the program and left over funds will be used for that purpose. If there is a big enough gain, this project could be self-funding for many years.
Reply
1 point,5 months ago
So, suppose you create a BIG bounty and no one collects it... then who gets the money after that? Who manages the funds?
Reply
1 point,5 months ago
The funds are managed by DashBudgetWatch (mainly me, Jim Bursch) and at the end of 12-months, most likely left over funds will be used to extend the program. Dash development will be ongoing, so will the need for a bug bounty program.
Reply
0 points,5 months ago
So how this DashBudgetWatch (mostly you) provide vetting to the project's accountability?
Reply
1 point,5 months ago
That's a fair question. Since I am both the project leader and the director of DashBudgetWatch, I will be holding myself accountable. I am also accountable to the backers who put up the funds for this proposal.

If DashBudgetWatch succeeds as I envision it, in the future I will be able to separate my role as project leader and director.
Reply