Proposal “Dash-Bug-Bounty-Program-by-BugCrowd“ (Completed)Back
Title: | Dash Bug Bounty Program by BugCrowd |
Owner: | jimbursch |
Monthly amount: | 330 DASH (12093 USD) |
Completed payments: | 3 totaling in 990 DASH (0 month remaining) |
Payment start/end: | 2017-06-19 / 2017-09-17 (added on 2017-06-20) |
Votes: | 977 Yes / 126 No / 45 Abstain |
Proposal description
Dash Bug Bounty Program by BugCrowd
Pre-proposal discussion: https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/
Dash can and should have the best funded bug bounty program of all crypto currencies. With a robust bug bounty program, Dash can rightly make the following claims:
3 monthly 330-Dash payments (990 Dash total)
This is a proposal for 990 Dash in 3 monthly payments (330 Dash/month $49.5k at $150 USD/Dash[1]) to establish a fully-managed bug bounty program with BugCrowd for one year, which will be in place through the launch of Evolution.
DashBudgetWatch will manage the relationship with BugCrowd over the course of the year on behalf of Dash. Jim Bursch (@jimbursch), the director of DashBudgetWatch, will coordinate the bug bounty program with the Core Team to ensure that any vulnerabilities are safely reported and addressed.
This proposal includes the following items:
About BugCrowd
Philip Da Silva is the representative from BugCrowd who is handling the Dash account. He will be available on this forum to answer any questions about BugCrowd.
About DashBudgetWatch
DashBudgetWatch (https://fundchan.com/dashbudgetwatch) is a project of @jimbursch, who has been an active member of the Dash community for several months. He founded the Los Angeles Dash Users Group and developed the Simple Dash Invoice (https://github.com/jimbursch/simple-dash-invoice). He is also the founder/developer of FundChan.com: funded channel messaging, which is denominated exclusively in Dash.
Notes:
1. USD/Dash price based on rounded 30-day moving average at the time if this writing.
Addendum
Added 2017/06/21 -- Any unused funds left over after 1 year will be rolled into an extension of the program, possibly for another year, or barring extension of the program, will be donated to an appropriate outlet selected by the Dash community.
Added 2017/06/21 -- It will be made clear to BugCrowd that testing of exploits on the mainnet is prohibited by this program.
Added 2017/06/26 -- In response to a concern raised by the PEC, DashBudgetWatch and Jim Bursch will not be acting as an information escrow. The Core Team will have direct access to the BugCrowd platform and it is our goal to integrate BugCrowd with the Jira issue-tracking system utilized by the Core Team.
Pre-proposal discussion: https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/
Dash can and should have the best funded bug bounty program of all crypto currencies. With a robust bug bounty program, Dash can rightly make the following claims:
- Dash code is the most secure because we offer the highest bounties to skilled developers to review infrastructure code.
- Dash is the safest because hackers (white/gray/black) are incentivized to disclose hacks in a manner that is safe and discrete, instead of exploiting or selling hacks.
3 monthly 330-Dash payments (990 Dash total)
This is a proposal for 990 Dash in 3 monthly payments (330 Dash/month $49.5k at $150 USD/Dash[1]) to establish a fully-managed bug bounty program with BugCrowd for one year, which will be in place through the launch of Evolution.
DashBudgetWatch will manage the relationship with BugCrowd over the course of the year on behalf of Dash. Jim Bursch (@jimbursch), the director of DashBudgetWatch, will coordinate the bug bounty program with the Core Team to ensure that any vulnerabilities are safely reported and addressed.
This proposal includes the following items:
- BugCrowd management fee for 5 Dash applications for 1 year
- Reward pool (bounties fund)
- BugCrowd Crowdcontrol Platform (triage, researcher matching, validation, payout)
- DashBudgetWatch management fee (includes proposal fee)
- Prudent reserve (funds set aside to mitigate Dash/USD exchange risk)
About BugCrowd
Philip Da Silva is the representative from BugCrowd who is handling the Dash account. He will be available on this forum to answer any questions about BugCrowd.
About DashBudgetWatch
DashBudgetWatch (https://fundchan.com/dashbudgetwatch) is a project of @jimbursch, who has been an active member of the Dash community for several months. He founded the Los Angeles Dash Users Group and developed the Simple Dash Invoice (https://github.com/jimbursch/simple-dash-invoice). He is also the founder/developer of FundChan.com: funded channel messaging, which is denominated exclusively in Dash.
Notes:
1. USD/Dash price based on rounded 30-day moving average at the time if this writing.
Addendum
Added 2017/06/21 -- Any unused funds left over after 1 year will be rolled into an extension of the program, possibly for another year, or barring extension of the program, will be donated to an appropriate outlet selected by the Dash community.
Added 2017/06/21 -- It will be made clear to BugCrowd that testing of exploits on the mainnet is prohibited by this program.
Added 2017/06/26 -- In response to a concern raised by the PEC, DashBudgetWatch and Jim Bursch will not be acting as an information escrow. The Core Team will have direct access to the BugCrowd platform and it is our goal to integrate BugCrowd with the Jira issue-tracking system utilized by the Core Team.
Show full description ...
Discussion: Should we fund this proposal?
Submit comment
No comments so far?
Be the first to start the discussion! |
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
No I do not think that Dash has any bugs. I have never found to have encounterred any of them.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
These dots are a bug. How can I get some bounty fund money Dash for these dots problem?
They write: "We have revised our report in accordance with the new information. It is with deep regret that we feel it necessary to flag up certain issues on what is clearly a popular proposal, but since the mission of PEC is primarily to protect Dash we feel it is necessary to remind MNOs that they are not in possession of all the details pertinent to this proposal."
Please look at the report here:
https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/
This is unfortunate.
I shared with @Tallyho a copy of the quote that was provided to me by BugCrowd, upon which I based my estimates for the budget proposal. The content of that quote is subject to a non-disclosure agreement that BugCrowd required me to sign. This is not unusual or nefarious. It is a standard business practice to enable parties to engage in negotiation involving sensitive information such as pricing and discounts.
I believe @Tallyho's main concern is the trade-offs that have to be made between defining the scope of the program and the size of the bounty pool.
Here is what I wrote to @Tallyho, with figures redacted because they are covered under the non-disclosure agreement with BugCrowd:
"When I started working on this project I envisioned a $100,000 bug bounty fund that would be trumpeted from the mountaintops. After researching top tier bug bounty programs, I quickly learned that the amount of the bounty fund is the least important factor. What's important is a relationship with thousands of hackers, hundreds of fully vetted expert researchers, a tested methodology for assigning priority and value to vulnerabilities, and systems in place to accomplish all of that efficiently, securely, and safely. I would be glad to put you in touch directly with the BugCrowd rep to explain in detail what their system entails.
"To be clear, <redacted> is what BugCrowd stated in their quote and is NOT what I have allocated for the bounty pool. As I have stated repeatedly, all these amounts are subject to negotiation, wherein I will be working to get the best deal for Dash.
"Perhaps it would help if I gave you some scenarios with specific numbers. For these scenarios I will not set aside a reserve to deal with USD/Dash price fluctuation. Instead, those funds will be included in the bounty fund and any price fluctuation will be absorbed there."
I then presented figures for 4 scenarios of exactly how the funding could be allocated, which included a scenario in which over $100,000 is allocated for the bounty fund, but only one application could be included in the scope of the program.
I concluded my email with @Tallyho with the following:
"I am of the opinion that it is better for Dash to cover as many important applications as possible in the program and keep the bounty pool to a viable minimum. I also think it is unnecessary to ask the MNOs for more funding to increase the amount of the bounty pool.
"My negotiating position with BugCrowd is that we should receive substantial discounts because we are paying in cash up front for a 12-month program, and those discounts will be applied for additional applications to be included in the program".
If anyone would like to see the numbers, I will be happy to share them privately and confidentially, subject to the terms of the non-disclosure agreement that I am bound to uphold.
https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/page-2#post-131214
You had my vote before and that's not going to change :)
Dash Network — Software Applications
CORE DAEMON : This is the main daemon that that does much of the work of the network. It relays blocks, validates blocks and transactions and ultimately is responsible for maintaining the blockchain ledger.
DAPI : This is the third-tier interface, allowing our edge users to maintain a connection to the network and access services from a distance without having to download and validate large amounts of data themselves
DASHDRIVE : This is where we store user object information in a decentralized and secure way on the network. Only those with proper permissions can update various pieces of data.
ADAPI : We utilize onion-type routing to securely and anonymously access services of DAPI, allowing users to maintain privacy if needed. This is automatically used for our new implementation of â€Privacy,†a cutting edge, improved version of PrivateSend.
https://www.dash.org/forum/threads/hong-kong-dash-research-and-planning-by-evan-duffield.15492/
Just to be clear , even the googles and facebooks have bug bounties and they do find some serious bugs which their dev teams miss
in short please vote a BIG YES
This is absolutely needed in any tech development at this stage of the game.
This is a clear YES for me.
What about others developing for example wallet software, POS systems, ATM software, etc?
Do you actually need the Core developers' consent to start bug hunting https://github.com/dashpay?
Let me conduct a test: Core - in the process of developing DashTreasury.org and creating automation tools for Amanda's #firstdashwallet campaign, we discovered at least one bug. Is there someone in particular we should submit this information to?
I suggest reporting your bug directly to Andy Freer -- andy@dash.org.
https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/#post-130577
If that isn't good enough, I have to respect your decision, but it means that we will not have a bug bounty program in place for the launch of Evolution. We won't be able to claim the safety and security that is provided by a well-funded bug bounty program.
I will let Andy and Ryan know about your request, but they have been very supportive and I don't expect any more than what they have already expressed.
----------------------- my legit check -----------------
https://bugcrowd.com legit
Andy Freer legit
Andy Freer makes jimbursch legit here https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/#post-130577
seems in order to me
yesses from me
The case can be made that it is better for someone outside of the Core Team to audit the Core Team code.
Either way, the Core Team will be fixing the bugs, and the bug bounty program will be working closely and cooperatively with the Core Team.
"Hi There
Just to confirm that i've chatted with Jim and the core devs about this proposal and in it's current form on DashCentral the core devs are happy to collaborate as needed with the proposal if the network approves it.
Cheers
Andy"
https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/#post-130577
solarguy2003
https://www.dash.org/forum/threads/pre-proposal-dash-bug-bounty-program-by-bugcrowd.15321/#post-130577
But I do not see a reason why a third party should initiate it for that amount of money ($60k/mnth).
Secondly I don't get why the proposal covers only three months but the bounty program would run one year.
Lastly I miss some transparency over the real costs distribution - especially how much goes to DashBudgetWatch and how much goes to BugCrowd.
Since DashBudgetWatch is another project of Jimbursch (proposal owner) it looks like he found a profitable way to fund his DashBudgetWatch project.
DashBudgetWatch portion is 5% for managing the program over the year. It takes time and work to manage the relationship with BugCrowd and coordinate with the Core Team.
Another reason for the 3-month payout is so that MNOs can assess progress as program ramps up.
Not sure if you are referring to me or BugCrowd when you say "third party."
This guys gets it. I have no idea if this is the best way to do a bug bounty program but it seems as good a shot as anything else going (I am not aware of anything else going) so voting yes.
It will be made clear to BugCrowd that testing of exploits on the mainnet is prohibited by this program.
It focuses on a serious technical threat of misusing the mistakes in the software that implements and provides DASH by incentivising finding and removing the mistakes/bugs.
The proposal can only strengthen the very foundation of what are we all bickering about here.
Misuse of existing mistakes in DASH software may lead to serious or even fatal consequences, so evaluating this aspect/issue in dollars or dash is very hard.
Therefore arguments regarding the amount of funding are dubious.
Since the budget does not limit other proposals I would not attack the amount.
One year duration is a good starting period for a bug hunting program.
The aimed property of "crypto-currency with the best funded bug bounty program", which is stated in the proposal, even provides a potential for many of those talks and marketing efforts.
There is a very high probability BugCrowd will be willing (or even eager) to host a bug hunting program for DASH, because it does not require any new type of agreement, integration or development (it is just what they do already).
Why BugCrowd? I do not know, but the choice is BugCrowd or HackerOne.
Since companies usually decide to run their bounty on only one of these platforms at a time, most code researchers ultimately decide to check out both platforms as the best way to maximize their exposure to as many bounties as possible.
BugCrowd has cca 60k researchers and HackerOne a bit more (I think).
The weakness seems to be collaboration with developers of DASH related software packages, because they are be the actual users (customers) of the bug hunting.
This proposal should definitely get through, unless DASH software developers specify a reason why NOT.
In fact, while understanding those absenting their vote for this, I do not see any reason for voting against it.
I spoke to both BugCrowd and HackerOne and they both offered a comparable price and program. I selected BugCrowd because they were the most responsive and flexible, which is an important consideration since we are dealing with unprecedented accounting, contracting and legal issues related to Dash, a DAO and crypto currencies in general.
And just to reiterate, I am in communication with Andy Freer and we will be closely coordinating the bug bounty program with the dev team.
BugCrowd Vulnerability Rating Taxonomy
https://www.dash.org/forum/attachments/bugcrowd-vulnerability-rating-taxonomy-pdf.4215/
Any unused funds left over after 1 year will be rolled into an extension of the program, possibly for another year, or barring extension of the program, will be donated to an appropriate outlet selected by the Dash community.
Thanks for putting the proposal together.
I am most active in the Dash community on Dash Forum. I suggest asking around there about my reputation. @tungfa knows me through the forum.
Also, here is an article on Dash Force News that includes a video of me:
https://www.dashforcenews.com/dash-budget-watch-seeks-polish-treasury-proposal-process/
Andy Freer:
"Hi there,
I can confirm that i've corresponded with Jim. Without commenting on the specifics of this particular proposal, the Core devs believe incentivizing finding of bugs will result in fixing more bugs and get more devs involved, and we're happy to cooperate with any bug-bounty program in which the details are well specified regarding determining whether a bug is valid, severity of bug, and on what metric payouts would be made, and responsible disclosure is followed.
Best,
Andy Freer"
( Plus I think that Andy Freer is very much from Core: https://www.dash.org/team/ )
But I agree that somebody from Core should express their opinions about why NOT this proposal.
https://youtu.be/O2CyHOsDVf8
https://youtu.be/CDzjI3avLZs
It's only 60k/month for 3 months, which will pay up front for the whole 12-month program.
Paying up front enables me to negotiate a better deal with BugCrowd and eliminate any concern on their part about USD/Dash exchange risk.
If DashBudgetWatch succeeds as I envision it, in the future I will be able to separate my role as project leader and director.