Proposal “DashBugBounty-Bugcrowd_1-year_renewal“ (Closed)Back

Title:Dash Bug Bounty - Bugcrowd 12 month renewal
Owner:jimbursch
One-time payment: 250 DASH (39511 USD)
Completed payments: 1 totaling in 250 DASH (0 month remaining)
Payment start/end: 2018-03-19 / 2018-04-18 (added on 2018-03-19)
Votes: 755 Yes / 110 No / 31 Abstain
External information: www.dash.org/forum/threads/proposal-dash-bug-bounty-bugcrowd-12-month-renewal.31962/

Proposal description

In August, 2017 we launched the Dash Bug Bounty Program with Bugcrowd, which is a one year program that will be up for renewal in August, 2018. For updates on the program, see https://www.dash.org/forum/threads/dash-bug-bounty-program.16100/

As an incentive to renew early, Bugcrowd is offering a substantial discount. This is a proposal for funding to take advantage of this discount and renew our agreement with Bugcrowd to extend the program to August, 2019.

Requested amount: 250 Dash

At an exchange rate of $400, the value of this proposal is $100,000.

Use of funds

80% of the requested funds will be paid to Bugcrowd for the following:
  • BugCrowd fee to include 5 Dash applications for 1 year
  • Reward pool (bounties fund)
  • BugCrowd Crowdcontrol Platform (triage, researcher matching, validation, payout)
20% of the requested funds will pay for:
  • Management expenses by Jim Bursch
  • Reserve to mitigate exchange rate risk (falling Dash price)
  • Proposal fee
Here is a video that describes the Bugcrowd platform:



Renewal of this program will keep the Bugcrowd platform in place for the first year of operation of Evolution, which is expected to launch this summer.

If you have questions about the performance of the Dash Bug Bounty Program for Dash, I encourage you to review the update thread that details how the program has operated to date: https://www.dash.org/forum/threads/dash-bug-bounty-program.16100/

I am happy to answer any questions and welcome feedback.

Show full description ...

Discussion: Should we fund this proposal?

Submit comment
 
0 points,6 months ago
Thank you everyone for supporting this proposal!
Reply
0 points,6 months ago
voting YES to no bugs
Reply
1 point,6 months ago
Thank you Jim B. for your work on this project. Voted YES.
Reply
2 points,6 months ago
Excellent. Voting yes..
Reply
2 points,6 months ago
yes please
great job Jim taking care of this - we found many bugs and sure have to stay on top of this
Reply
2 points,6 months ago
From what I've seen, including information that may be disclosed in the near future, this is an invaluable program for Dash. A great example of decentralized development working hand-in-hand with the Core team thanks to the DAO.
Reply
0 points,6 months ago
You have my support.
Thank you for you proposal.
Reply
2 points,6 months ago
Please provide stats of how many bugs were reported, how much bug bounties were payed out (breakdown by amount) and how much funds is left.

I think promotion trough Bugcrowd should be delayed until Evolution is out.
Reply
2 points,6 months ago
They helped us on Core team discover many issues with Copay, and others. I think we need this continuously.
Reply
2 points,6 months ago
This is a strong endorsement from the people who need it most.
Reply
3 points,7 months ago
Do we pay bug bounty in USD or Dash? I am in agreement with the bug bounty program, but this proposal for an early renewal seems to be unwise as USD/dash must me close to a low. Its a gamble but USD/dash is probably going to be way higher in June /July. Not sure if renewing early is the way to go.
Reply
0 points,6 months ago
Hi KiwiCodger

When a bug/vulnerability is reported through Bugcrowd, the bounty is paid in USD. When we receive a report outside of Bugcrowd, we pay the bounty in Dash. FYI - the contract with Bugcrowd is paid in Dash.

The fact of the matter is that we cannot predict what the price of Dash will be in June/July. Back in December, when the price was well over $1000 would you have predicted that it would be around $400 in March?
Reply
0 points,6 months ago
Been around crypto for 5 years, yes a prediction of $400 would follow previous patterns. I also see dash above $2000 sometime this year. However we have to deal with the here and now, so take on board your points.
Reply
4 points,7 months ago
Ugh, the idea of a bug bounty is good, but this one has spent its resources pretty darn inefficiently. What portion of the total proposal fees actually got paid to the programmers who found the bugs? So, so, so tiny...

If this is going to run again, you need to get a better bang for our buck by at least getting this plastered on all social media, and some more substantial press. Perhaps throw some of the extra funds towards paid ads in hacker subreddits while they last..
Reply
3 points,7 months ago
Hi chrisb

Have you considered that more bugs have not been found because more bugs do not exist? That, in fact, the code is pretty secure?

Dash code is sophisticated and requires review by expert programmers. It is not something that script kiddies can just take a whack at and tease out a bunch of bugs.

We have not "spent" our "resources." The Dash Bug Bounty Program is well funded to continue indefinitely. This proposal is for funds to extend the Bugcrowd agreement for an additional year to August, 2019. In my judgment it is better to seek additional funding rather than deplete the bounty fund.

However, your point that there needs to be more PR for the program is a good one, and that is something that we are addressing.
Reply
1 point,6 months ago
That's reasonable, thanks. Looking forward to more promotion of this if it passes. The more promotion we get on this, the more bugs found.
Reply
1 point,7 months ago
The discussion in core is unanimous that this program has helped us out and has revealed to us both major and critical issues, mostly inherited from upstream forked code. I believe it's highly valuable in it's current form and I know that Jim really takes every reported issue coming from the community and programs like this one very seriously, me too in fact, the reason there is so little payout is that very few valid issues are ever found in production, while most so far have been found in betas of apps we are launching. It's also great to have the extra eyes on our code that this program provides us. Don't MNO's feel safer when many people have an eye on the code?
Reply
1 point,6 months ago
2nded.
Reply
1 point,7 months ago
Since you can vouch for this I see no problem continuing the funding.
Reply
5 points,7 months ago
So what about remaining funds from last year? I believe you paid out not more than 10% of last year budget. What will happened with the rest of money?
Reply
5 points,7 months ago
if budget still not used up maybe you just continue one more year for free?
Reply
5 points,7 months ago
I would also like to see how all the funds were distributed. Last year's budget was very big and the price appreciated a ton.
Reply
-2 points,7 months ago
It was because of the price appreciation that I felt confident to engage PMBC Group for PR for the bounty program. When the price is high, we can make expenditures from the bounty fund. But since the price has retreated -- and we don't know how low it can go -- I am much more conservative about the bounty fund.
Reply
1 point,7 months ago
Just to clarify, this proposal is for a 1 year renewal of the Bugcrowd platform, not the Dash Bug Bounty Program itself. While we have a bounty fund in place, the Dash Bug Bounty Program will continue with or without Bugcrowd.

So, yes, we can continue to operate the Dash Bug Bounty Program for "free" indefinitely, as long as the bounty fund holds out.

But we receive substantial benefits from the association with Bugcrowd. They have a relationship with thousands of researchers through their platform, including hundreds of high-level researchers, including elite hackers.

The most serious vulnerabilities we have encountered have come through Bugcrowd.
Reply
0 points,7 months ago
The funds from last year were distributed as described in last year's proposal. Most was used to pay for 1 year of Bugcrowd; additional funds were distributed as described in the update thread, and a substantial amount is held in the bounty pool to pay for potential bounties.
Reply
4 points,7 months ago
I really appreciate the effort with this, but so little of these funds have actually made it into the hands of the people reporting bugs. Is there a way to better promote this?

I was in support of last year's bounty program, but I expected something more vibrant. Thank you, Jim.
Reply
2 points,7 months ago
I agree that the portion of funds that actually made it to bug finders is small, but remember that the value of securing the software is immeasurable.

That being said, I agree that this bounty program was very poorly promoted, especially because it includes a lofty management fee from jimbursch. I'd have expected he'd make an ongoing effort to promote this bounty program, but the lack of payments made kind of indicates it was running passively. Correct me if I'm wrong. Thanks for the effort and intentions in any case.
Reply
0 points,7 months ago
Hi phantomgrace

See my reply to @papatierra -- we're working on it, and have made progress!
Reply
1 point,7 months ago
Thanks jimbursch. I like this pr. Wish it had happened sooner, but it's not too late at all now.
Reply
1 point,7 months ago
Hi papatierra

You are absolutely right about the importance of getting the word out and we are working on that.

Take a look at this update post:
https://www.dash.org/forum/threads/dash-bug-bounty-program.16100/page-2#post-172424

And this post:
https://www.dash.org/forum/threads/podcast-featuring-jim-bursch-on-dash-dash-messaging-and-bug-bounty.31654/

There you will see a list of media outlets/posts/articles/podcasts that came as a result of the work of PMBC, a PR firm that we hired in January to help get the work out about the Dash Bug Bounty Program. That is just the beginning as they have a lot more planned.

We also have more ideas in the pipeline to help get the word out. I have registered the domain StealMyWallet.com which we may use as part of a PR campaign. If you google it, you will see that it was used in the past to highlight the security of Bitcoin.
Reply
3 points,7 months ago
Thanks, Jim. I'm really glad to see that you're making a big effort to promote this bug bounty program. It's a great program, but without more buzz around it, the only winner becomes Bug Bounty.

If the budget allows this month, I'll vote yes on this and thanks again for the thoughtful answer.
Reply
2 points,7 months ago
How many bugs were caught so far?
Reply
1 point,7 months ago
By my count there are 14 vulnerabilities reported in the update thread. These are vulnerabilities that warranted a code change and qualified to receive a bounty.

Over 50 vulnerabilities have been reported through the Bugcrowd platform and were screened by Bugcrowd engineers. Bugs that don't qualify for a bounty are either duplicate, out-of-scope, or sometimes we are not able to replicate what is being reported.
Reply
0 points,7 months ago
What's the size of the bounty for 1 qualified bug?
Reply
0 points,6 months ago
The amount of bounty depends in the severity of the vulnerability:

Priority Reward
P1 critical $5,000 - $10,000
P2 high $1,000 - $5,000
P3 medium $500 - $1000
P4 low $100 - $500
Reply
1 point,7 months ago
I'm curious how many dash products is the bugcrowd system is covering? It should include the all dash mobile wallets etc, dash-central even.
Reply
0 points,7 months ago
The Dash Bug Bounty Program covers all Dash products and systems that are critical to Dash, if the Core Team determines that a reported bug/vulnerability is serious enough for a bounty payment.

With the Bugcrowd platform, 5 applications are covered (4 cash bounty, 1 kudos-only). Up until this month, the plan was to cover Dash Core and 3 Copay wallets (Android, iOS, Windows). But after consulting with QuantumExplorer, who now leads Dash's mobile team, we have decided to allocate the slots to Dash Android (the HashEngineering wallet), Dash iOS, and Dash Copay Android. Those should be launching within a week or two.
Reply
0 points,7 months ago
The forum discussion for this proposal is located here:

https://www.dash.org/forum/threads/proposal-dash-bug-bounty-bugcrowd-12-month-renewal.31962/
Reply