Proposal “DashBugBounty-Bugcrowd_1-year_renewal“ (Closed)Back
| Title: | Dash Bug Bounty - Bugcrowd 12 month renewal |
| Owner: | jimbursch |
| One-time payment: | 250 DASH (10693 USD) |
| Completed payments: | 1 totaling in 250 DASH (0 month remaining) |
| Payment start/end: | 2018-03-19 / 2018-04-18 (added on 2018-03-19) |
| Votes: | 755 Yes / 110 No / 31 Abstain |
| External information: | www.dash.org/forum/threads/proposal-dash-bug-bounty-bugcrowd-12-month-renewal.31962/ |
Proposal description
In August, 2017 we launched the Dash Bug Bounty Program with Bugcrowd, which is a one year program that will be up for renewal in August, 2018. For updates on the program, see https://www.dash.org/forum/threads/dash-bug-bounty-program.16100/
As an incentive to renew early, Bugcrowd is offering a substantial discount. This is a proposal for funding to take advantage of this discount and renew our agreement with Bugcrowd to extend the program to August, 2019.
Requested amount: 250 Dash
At an exchange rate of $400, the value of this proposal is $100,000.
Use of funds
80% of the requested funds will be paid to Bugcrowd for the following:
Renewal of this program will keep the Bugcrowd platform in place for the first year of operation of Evolution, which is expected to launch this summer.
If you have questions about the performance of the Dash Bug Bounty Program for Dash, I encourage you to review the update thread that details how the program has operated to date: https://www.dash.org/forum/threads/dash-bug-bounty-program.16100/
I am happy to answer any questions and welcome feedback.
As an incentive to renew early, Bugcrowd is offering a substantial discount. This is a proposal for funding to take advantage of this discount and renew our agreement with Bugcrowd to extend the program to August, 2019.
Requested amount: 250 Dash
At an exchange rate of $400, the value of this proposal is $100,000.
Use of funds
80% of the requested funds will be paid to Bugcrowd for the following:
- BugCrowd fee to include 5 Dash applications for 1 year
- Reward pool (bounties fund)
- BugCrowd Crowdcontrol Platform (triage, researcher matching, validation, payout)
- Management expenses by Jim Bursch
- Reserve to mitigate exchange rate risk (falling Dash price)
- Proposal fee
Renewal of this program will keep the Bugcrowd platform in place for the first year of operation of Evolution, which is expected to launch this summer.
If you have questions about the performance of the Dash Bug Bounty Program for Dash, I encourage you to review the update thread that details how the program has operated to date: https://www.dash.org/forum/threads/dash-bug-bounty-program.16100/
I am happy to answer any questions and welcome feedback.
Show full description ...
Discussion: Should we fund this proposal?
Submit comment
|
No comments so far?
Be the first to start the discussion! |
great job Jim taking care of this - we found many bugs and sure have to stay on top of this
Thank you for you proposal.
I think promotion trough Bugcrowd should be delayed until Evolution is out.
When a bug/vulnerability is reported through Bugcrowd, the bounty is paid in USD. When we receive a report outside of Bugcrowd, we pay the bounty in Dash. FYI - the contract with Bugcrowd is paid in Dash.
The fact of the matter is that we cannot predict what the price of Dash will be in June/July. Back in December, when the price was well over $1000 would you have predicted that it would be around $400 in March?
If this is going to run again, you need to get a better bang for our buck by at least getting this plastered on all social media, and some more substantial press. Perhaps throw some of the extra funds towards paid ads in hacker subreddits while they last..
Have you considered that more bugs have not been found because more bugs do not exist? That, in fact, the code is pretty secure?
Dash code is sophisticated and requires review by expert programmers. It is not something that script kiddies can just take a whack at and tease out a bunch of bugs.
We have not "spent" our "resources." The Dash Bug Bounty Program is well funded to continue indefinitely. This proposal is for funds to extend the Bugcrowd agreement for an additional year to August, 2019. In my judgment it is better to seek additional funding rather than deplete the bounty fund.
However, your point that there needs to be more PR for the program is a good one, and that is something that we are addressing.
So, yes, we can continue to operate the Dash Bug Bounty Program for "free" indefinitely, as long as the bounty fund holds out.
But we receive substantial benefits from the association with Bugcrowd. They have a relationship with thousands of researchers through their platform, including hundreds of high-level researchers, including elite hackers.
The most serious vulnerabilities we have encountered have come through Bugcrowd.
I was in support of last year's bounty program, but I expected something more vibrant. Thank you, Jim.
That being said, I agree that this bounty program was very poorly promoted, especially because it includes a lofty management fee from jimbursch. I'd have expected he'd make an ongoing effort to promote this bounty program, but the lack of payments made kind of indicates it was running passively. Correct me if I'm wrong. Thanks for the effort and intentions in any case.
See my reply to @papatierra -- we're working on it, and have made progress!
You are absolutely right about the importance of getting the word out and we are working on that.
Take a look at this update post:
https://www.dash.org/forum/threads/dash-bug-bounty-program.16100/page-2#post-172424
And this post:
https://www.dash.org/forum/threads/podcast-featuring-jim-bursch-on-dash-dash-messaging-and-bug-bounty.31654/
There you will see a list of media outlets/posts/articles/podcasts that came as a result of the work of PMBC, a PR firm that we hired in January to help get the work out about the Dash Bug Bounty Program. That is just the beginning as they have a lot more planned.
We also have more ideas in the pipeline to help get the word out. I have registered the domain StealMyWallet.com which we may use as part of a PR campaign. If you google it, you will see that it was used in the past to highlight the security of Bitcoin.
If the budget allows this month, I'll vote yes on this and thanks again for the thoughtful answer.
Over 50 vulnerabilities have been reported through the Bugcrowd platform and were screened by Bugcrowd engineers. Bugs that don't qualify for a bounty are either duplicate, out-of-scope, or sometimes we are not able to replicate what is being reported.
Priority Reward
P1 critical $5,000 - $10,000
P2 high $1,000 - $5,000
P3 medium $500 - $1000
P4 low $100 - $500
With the Bugcrowd platform, 5 applications are covered (4 cash bounty, 1 kudos-only). Up until this month, the plan was to cover Dash Core and 3 Copay wallets (Android, iOS, Windows). But after consulting with QuantumExplorer, who now leads Dash's mobile team, we have decided to allocate the slots to Dash Android (the HashEngineering wallet), Dash iOS, and Dash Copay Android. Those should be launching within a week or two.
https://www.dash.org/forum/threads/proposal-dash-bug-bounty-bugcrowd-12-month-renewal.31962/