Welcome!

SOOOOOO MANY BUGSSS TO FIND!!!!

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
No I do not think that Dash has any bugs. I have never found to have encounterred any of them.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
These dots are a bug. How can I get some bounty fund money Dash for these dots problem?

The evaluators of this proposal has contacted me with information that I think the MNO's should take into account with some urgency.
They write: "We have revised our report in accordance with the new information. It is with deep regret that we feel it necessary to flag up certain issues on what is clearly a popular proposal, but since the mission of PEC is primarily to protect Dash we feel it is necessary to remind MNOs that they are not in possession of all the details pertinent to this proposal."
Please look at the report here:
https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/

I have replied:

This is unfortunate.

I shared with @Tallyho a copy of the quote that was provided to me by BugCrowd, upon which I based my estimates for the budget proposal. The content of that quote is subject to a non-disclosure agreement that BugCrowd required me to sign. This is not unusual or nefarious. It is a standard business practice to enable parties to engage in negotiation involving sensitive information such as pricing and discounts.

I believe @Tallyho's main concern is the trade-offs that have to be made between defining the scope of the program and the size of the bounty pool.

Here is what I wrote to @Tallyho, with figures redacted because they are covered under the non-disclosure agreement with BugCrowd:

"When I started working on this project I envisioned a $100,000 bug bounty fund that would be trumpeted from the mountaintops. After researching top tier bug bounty programs, I quickly learned that the amount of the bounty fund is the least important factor. What's important is a relationship with thousands of hackers, hundreds of fully vetted expert researchers, a tested methodology for assigning priority and value to vulnerabilities, and systems in place to accomplish all of that efficiently, securely, and safely. I would be glad to put you in touch directly with the BugCrowd rep to explain in detail what their system entails.

"To be clear, <redacted> is what BugCrowd stated in their quote and is NOT what I have allocated for the bounty pool. As I have stated repeatedly, all these amounts are subject to negotiation, wherein I will be working to get the best deal for Dash.

"Perhaps it would help if I gave you some scenarios with specific numbers. For these scenarios I will not set aside a reserve to deal with USD/Dash price fluctuation. Instead, those funds will be included in the bounty fund and any price fluctuation will be absorbed there."

I then presented figures for 4 scenarios of exactly how the funding could be allocated, which included a scenario in which over $100,000 is allocated for the bounty fund, but only one application could be included in the scope of the program.

I concluded my email with @Tallyho with the following:

"I am of the opinion that it is better for Dash to cover as many important applications as possible in the program and keep the bounty pool to a viable minimum. I also think it is unnecessary to ask the MNOs for more funding to increase the amount of the bounty pool.

"My negotiating position with BugCrowd is that we should receive substantial discounts because we are paying in cash up front for a 12-month program, and those discounts will be applied for additional applications to be included in the program".

If anyone would like to see the numbers, I will be happy to share them privately and confidentially, subject to the terms of the non-disclosure agreement that I am bound to uphold.

Can you please link to the post in question and not just the whole thread.

My reply is posted here:
https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/page-2#post-131214

Thanks didn't mean you. I am just getting annoyed by Biltong always linking to the thread making it very annoying to find the reports. And there being no single place that you can easily look at them all. Well at this point ill probably just ignore them.

You had my vote before and that's not going to change :)

I was not sure about this for the price but with all the unused Dash/money being left on the table this month it gets my votes.

Thanks Mastermined!

We will focus the bug bounty program on these Evolution applications as they become available for review, in coordination with Core, of course:

Dash Network — Software Applications

CORE DAEMON : This is the main daemon that that does much of the work of the network. It relays blocks, validates blocks and transactions and ultimately is responsible for maintaining the blockchain ledger.

DAPI : This is the third-tier interface, allowing our edge users to maintain a connection to the network and access services from a distance without having to download and validate large amounts of data themselves

DASHDRIVE : This is where we store user object information in a decentralized and secure way on the network. Only those with proper permissions can update various pieces of data.

ADAPI : We utilize onion-type routing to securely and anonymously access services of DAPI, allowing users to maintain privacy if needed. This is automatically used for our new implementation of ”Privacy,” a cutting edge, improved version of PrivateSend.

https://www.dash.org/forum/threads/hong-kong-dash-research-and-planning-by-evan-duffield.15492/

This is one of the most important proposals of all , imagine a hacker discovering a bug in dash dao and drains all 6000 dash for a given month or so on , the impact of that would be catastrophic , we should have a healthy security focused approach and this bug bounty is wonderful step on that

Just to be clear , even the googles and facebooks have bug bounties and they do find some serious bugs which their dev teams miss

in short please vote a BIG YES

Completely agree with you on this. It is needed. We do not want bug like ETH did leading to a hard fork.

This is absolutely needed in any tech development at this stage of the game.

For that amount of money we could stick another bumper sticker on another really fast airplane. /s.

This is a clear YES for me.

Is this going to be applied exclusively to the Core developers source code?
What about others developing for example wallet software, POS systems, ATM software, etc?
Do you actually need the Core developers' consent to start bug hunting https://github.com/dashpay?

The plan is to start with 5 Core applications, and add additional applications as the budget allows. I suppose technically one doesn't need consent to review open source code, but practically and professionally the program will coordinate with the developer teams, including getting their consent to be included in the program.

BugCrowd could organize receipt of these bugs, but there'd still need to be someone in Dev willing to read through them, and manage the process for them to be fixed. If there weren't, this would be money down the drain. (5% to Jim Bursch, 40%+ to BugCrowd, ?% in actual paid bounties)

Let me conduct a test: Core - in the process of developing DashTreasury.org and creating automation tools for Amanda's #firstdashwallet campaign, we discovered at least one bug. Is there someone in particular we should submit this information to?

The BugCrowd platform will be able to integrate with the Jira issue-tracking system that Core Team is implementing, so bugs should be able to be addressed in the Core Team's normal work flow.

I suggest reporting your bug directly to Andy Freer -- andy@dash.org.

If Andy Freer or Ryan Taylor logged into this site and actively said they wanted this solution, I'd change my votes to yes.

Quoting Andy Freer: "... the core devs are happy to collaborate as needed with the proposal if the network approves it."

https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/#post-130577

If that isn't good enough, I have to respect your decision, but it means that we will not have a bug bounty program in place for the launch of Evolution. We won't be able to claim the safety and security that is provided by a well-funded bug bounty program.

I will let Andy and Ryan know about your request, but they have been very supportive and I don't expect any more than what they have already expressed.

If only we had a designated person on the Core Team to answer legitimate and essential questions, this would be so much more time efficient for both sides....hint hint to Core....

Voting no for now, until someone who actually maintains the code asks for this.

This gets my Yes votes.

I think added bonus also is that we will have new people getting to know dash, even if the original attempt is for bughunting, I am certain a couple of highly skilled people will see how great of an coin dash really is.



----------------------- my legit check -----------------
https://bugcrowd.com legit
Andy Freer legit
Andy Freer makes jimbursch legit here https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/#post-130577

seems in order to me

yesses from me

Like the idea of a bug bounty, but I think it should be managed by core. Ethereum is doing this right https://bounty.ethereum.org/ would like to see a similar program for Dash.

One of the first things I will be asking of the Core Team is to point https://bounty.dash.org at our BugCrowd program page, which will be designed to fit with dash.org. I believe the Ethereum program is with HackerOne.

I think dash core should create a bugfix bounty. After all, they have to organise the fix process, and then there is the testing of the fix. IMO core should manage the process.

Which is better, a company-hired auditor, or an independent auditor?

The case can be made that it is better for someone outside of the Core Team to audit the Core Team code.

Either way, the Core Team will be fixing the bugs, and the bug bounty program will be working closely and cooperatively with the Core Team.

I agree. Mainly because at the moment money is easier to come by than Dash Core time. Paying you to do this is the easiest way to get the data, and reliability (and defence against hackers) is going to count for a lot.

A bug bounty is standard operating procedure for any sort of complex programming that is mission critical. A big juicy robust bug bounty gives us bragging rights and terrific stuff for marketing. Voting yes.

Andy Freer (aka @AndyDark), Core Team CTO just posted the following:

"Hi There

Just to confirm that i've chatted with Jim and the core devs about this proposal and in it's current form on DashCentral the core devs are happy to collaborate as needed with the proposal if the network approves it.

Cheers
Andy"

https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/#post-130577

And Jim is a well known commodity on the Dash.org forum.

solarguy2003

I do not vote on this before I see a comment from one of the core team

Andy Freer, CTO of the Core Team commented here:

https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/#post-130577

basically I think it this kind of task is probably necessary for DASH Evolution.

But I do not see a reason why a third party should initiate it for that amount of money ($60k/mnth).
Secondly I don't get why the proposal covers only three months but the bounty program would run one year.
Lastly I miss some transparency over the real costs distribution - especially how much goes to DashBudgetWatch and how much goes to BugCrowd.

Since DashBudgetWatch is another project of Jimbursch (proposal owner) it looks like he found a profitable way to fund his DashBudgetWatch project.

It is a 1-year program, paid in 3 payments. We get a better deal paying up front. Also reduces exchange rate risk. BugCrowd sets rates in USD, not Dash.

DashBudgetWatch portion is 5% for managing the program over the year. It takes time and work to manage the relationship with BugCrowd and coordinate with the Core Team.

Another reason for the 3-month payout is so that MNOs can assess progress as program ramps up.

Not sure if you are referring to me or BugCrowd when you say "third party."

Great Proposal , voting yes

> Dash can and should have the best funded bug bounty program of all crypto currencies.

This guys gets it. I have no idea if this is the best way to do a bug bounty program but it seems as good a shot as anything else going (I am not aware of anything else going) so voting yes.

I also added the following:

It will be made clear to BugCrowd that testing of exploits on the mainnet is prohibited by this program.

The proposed goal is very relevant and useful.
It focuses on a serious technical threat of misusing the mistakes in the software that implements and provides DASH by incentivising finding and removing the mistakes/bugs.
The proposal can only strengthen the very foundation of what are we all bickering about here.
Misuse of existing mistakes in DASH software may lead to serious or even fatal consequences, so evaluating this aspect/issue in dollars or dash is very hard.
Therefore arguments regarding the amount of funding are dubious.
Since the budget does not limit other proposals I would not attack the amount.
One year duration is a good starting period for a bug hunting program.
The aimed property of "crypto-currency with the best funded bug bounty program", which is stated in the proposal, even provides a potential for many of those talks and marketing efforts.
There is a very high probability BugCrowd will be willing (or even eager) to host a bug hunting program for DASH, because it does not require any new type of agreement, integration or development (it is just what they do already).
Why BugCrowd? I do not know, but the choice is BugCrowd or HackerOne.
Since companies usually decide to run their bounty on only one of these platforms at a time, most code researchers ultimately decide to check out both platforms as the best way to maximize their exposure to as many bounties as possible.
BugCrowd has cca 60k researchers and HackerOne a bit more (I think).

The weakness seems to be collaboration with developers of DASH related software packages, because they are be the actual users (customers) of the bug hunting.

This proposal should definitely get through, unless DASH software developers specify a reason why NOT.
In fact, while understanding those absenting their vote for this, I do not see any reason for voting against it.

Thank you jjk for this assessment.

I spoke to both BugCrowd and HackerOne and they both offered a comparable price and program. I selected BugCrowd because they were the most responsive and flexible, which is an important consideration since we are dealing with unprecedented accounting, contracting and legal issues related to Dash, a DAO and crypto currencies in general.

And just to reiterate, I am in communication with Andy Freer and we will be closely coordinating the bug bounty program with the dev team.

For those who would like a detailed description of how BugCrowd categorizes vulnerabilities, upon which the bounty amounts are set, see this document:

BugCrowd Vulnerability Rating Taxonomy
https://www.dash.org/forum/attachments/bugcrowd-vulnerability-rating-taxonomy-pdf.4215/

I have added the following addendum to the proposal:

Any unused funds left over after 1 year will be rolled into an extension of the program, possibly for another year, or barring extension of the program, will be donated to an appropriate outlet selected by the Dash community.

Any idea what portion goes into the bounty pool and what portion is fees paid to BugCrowd?

Thanks for putting the proposal together.

This is still subject to negotiation with BugCrowd and is dependent on where the USD/Dash price is at the time we finalized our agreement, but my goal is for the BugCrowd fee be no greater than 40%. With rising prices this will be easy to achieve; if there is a significant drop before we finalize, it will be more difficult.

I've no idea how to vote on this proposal and so will likely abstain unless some Dash programmer I already know of and trust weighs in on it -- along with someone budget-minded, as well. I have no idea who Jim Bursch is.

Hi n00bkid

I am most active in the Dash community on Dash Forum. I suggest asking around there about my reputation. @tungfa knows me through the forum.

Also, here is an article on Dash Force News that includes a video of me:

https://www.dashforcenews.com/dash-budget-watch-seeks-polish-treasury-proposal-process/

We will be closely coordinating the Bug Bounty program with the Core Team to ensure that any vulnerabilities that are found are safely and discretely reported and fixed. The following is quoted from our pre-proposal discussion:

Andy Freer:

"Hi there,

I can confirm that i've corresponded with Jim. Without commenting on the specifics of this particular proposal, the Core devs believe incentivizing finding of bugs will result in fixing more bugs and get more devs involved, and we're happy to cooperate with any bug-bounty program in which the details are well specified regarding determining whether a bug is valid, severity of bug, and on what metric payouts would be made, and responsible disclosure is followed.

Best,
Andy Freer"

Any suggestions from Core specifically about this particular proposal? Do THEY need it?

Every supposedly secure software development team needs this - that is without questioning.
( Plus I think that Andy Freer is very much from Core: https://www.dash.org/team/ )

But I agree that somebody from Core should express their opinions about why NOT this proposal.

Here are two videos describing the BugCrowd program:

https://youtu.be/O2CyHOsDVf8

https://youtu.be/CDzjI3avLZs

The videos help. Thanks for that.

Security is huge! I think this could be a good plan. But do you think we need to spend a full 60k a month on this?

It's not 60k/month for 12 months.

It's only 60k/month for 3 months, which will pay up front for the whole 12-month program.

Paying up front enables me to negotiate a better deal with BugCrowd and eliminate any concern on their part about USD/Dash exchange risk.

Ok got cha, yea I highly approve of this. We need a system that works. 1 bug like ETHs dao could serve as a huge fault to a coin. Security should always be number 1

This proposal is for a total of no less than $180,000. Can some one with knowledge assure that this large amount is justified? The theory has been the Core developers are methodically and slowly working so as not to rush faulty code to market. This seems like a very high sum.

Hi narroway -- I completely understand your concern about the relatively large amount. This is why I chose to break the payments up over 3 months. I am planning to have the program up and running in the first month, so that the MNOs will have something to see by the time the second payment is forthcoming.

How will the money be distributed if funded?

The final distribution among the listed items is still subject to negotiation with BugCrowd and depends on the final USD amount we end up with at the end of 3 months funding. Keep in mind this is a 12-month program, so allocation will be subject to change. Bulk of the funds will be between reserve and the bounty fund.

Assuming Dash value rises dramatically in that time frame, how then will mostly you reallocate the remaining funds?

All additional funds generated by a higher USD/Dash price will be allocated to the bounty fund. At the end of 12 months, I anticipate that we will continue the program and left over funds will be used for that purpose. If there is a big enough gain, this project could be self-funding for many years.

So, suppose you create a BIG bounty and no one collects it... then who gets the money after that? Who manages the funds?

The funds are managed by DashBudgetWatch (mainly me, Jim Bursch) and at the end of 12-months, most likely left over funds will be used to extend the program. Dash development will be ongoing, so will the need for a bug bounty program.

So how this DashBudgetWatch (mostly you) provide vetting to the project's accountability?

That's a fair question. Since I am both the project leader and the director of DashBudgetWatch, I will be holding myself accountable. I am also accountable to the backers who put up the funds for this proposal.

If DashBudgetWatch succeeds as I envision it, in the future I will be able to separate my role as project leader and director.