Dash Bug Bounty Program

jimbursch said:
Hi @demo

Good catch! Thank you for reporting this issue. I see that @UdjinM6 reviewed the issue, gave it a thumbs-up and a fix has been submitted.

I will give this a P4 priority rating, which has a bounty range of $100-$500 USD (see https://bugcrowd.com/dashdigitalcash). Does 0.5 Dash sound like a reasonable bounty? If so, private message me your Dash address and I will send you the bounty payment.

Thanks again for strengthening Dash by reporting this bug.
Click to expand...

Whatever tip you decide to give me, its fine for me!
My address is always public as shown in my profile, because it will be used for the universal dividend foundation.
So please send the tip there:

dash:XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX

To be honest. The bug I discovered is totally insignificant, because it doesnt affect the system during the runtime. It is just a nuisance during the compilation. This nuisance can be avoided if you upgrade to qt > 5.2, which can easily be done by almost everyone (except the ones who are using really old computers or the ones who are using unflexible embedded hardware devices). Fortunately after @UdjinM6 fixed the bug, not even this nuisance exists anymore. In conclusion, 0.5 dash is more than enough as a reward for the discovery of this bug.
 
Last edited:
Here is an update on the Dash Bug Bounty program.

No bounties have been paid out either directly or through the Bugcrowd platform in the last month.

Most of the activity on the Bugcrowd platform has been with Dash Messaging (https://d-msg.com), where 10 minor vulnerabilities were reported and resolved. The Dash Messaging bug bounty program does not pay out cash bounties, so it costs us nothing when bugs/vulnerabilities are found. Researchers are rewarded with Bugcrowd's internal points system ("kudos").

With the release of Dash Core 12.2 at least three issues that involved the Dash Bug Bounty program have been resolved:

jimbursch said:
potential quorum exploit method
https://www.dash.org/forum/threads/...due-to-potential-quorum-exploit-method.16492/
Click to expand...

Thanks to @codablock!

demo said:
I discovered this tiny unimportant bug
https://github.com/dashpay/dash/issues/1671
Click to expand...

Thanks to @demo!

jimbursch said:
listreceivedbyaddress includes send addresses
https://github.com/dashpay/dash/issues/1576
Click to expand...

Thanks to me!

I will be working with Bugcrowd to get renewed interest from researchers to test 12.2.

The Bugcrowd Dash Bug Bounty program will expanded with the release of the Dash CoPay wallet, which will hopefully be happening within a month or so (just guessing).

As a reminder, the Dash Bug Bounty program on Bugcrowd is located here:
https://bugcrowd.com/dashdigitalcash

We do pay bounties outside of the Bugcrowd program when they are appropriately reported and assessed by the Core Team.

Feel free to contact me any time with questions, comments or suggestions.
 
Only one bug report has been submitted on Dash Core since I last posted an update, and that report was evaluated to be more of an anomaly in the code, not a bug or vulnerability.

There were several more reports submitted on Dash Messaging -- all minor, but much appreciated since they help to secure and improve the service.

If anyone wants further details, feel free to message me directly, either here or https://d-msg.com/jimbursch

We are preparing to add the Dash Copay wallet to the Bugcrowd platform, when the Copay wallet is released. I am coordinating with the Dash Copay team, led by @Chuck Williams . When the Public Beta Testnet version of the Dash Copay wallet is released we will be launching the Dash Copay Bug Bounty Program privately on the Bugcrowd platform. This means that Bugcrowd will be inviting selected/trusted researchers to examine the code and try to find bugs/vulnerabilities.

I expect that the Copay bounty program will go like the Dash Core program, which means that there will be very few (if any) reports. This is because we are dealing with very sophisticated/complex code that has already been well tested and vetted. I think there are few Bugcrowd researchers who have the expertise to really tear apart the code. This is in contrast to Dash Messaging, which is a web app that is exactly what Bugcrowd researchers love to hack.

This means that the primary value of the Dash Bug Bounty program is its PR value -- the reassurance it offers to users that the code is secure.

With that in mind, I am working on a PR campaign to coincide with the release of the Copay wallet. The target audience for this campaign is:

1. Dash Copay wallet users who are reassured that the wallet is backed by the best funded bug bounty program in all cryptocurrency
2. Researchers/hackers who would like to test the security of the Dash Copay wallet, and do so in a responsible manner.

With the rise of the price of Dash we have funding available in the budget to pay for a high quality, professional campaign. And we will be able to partner with Bugcrowd on this campaign, leveraging their resources.

I will be starting a separate thread for details and updates about this campaign.
 
jimbursch said:
Thanks @UdjinM6

Just to confirm, it's @sidhujag who should be rewarded?

On a scale P1-P4 (see https://pages.bugcrowd.com/hubfs/PDFs/Bugcrowd-Vulnerability-Rating-Taxonomy.pdf) where would you put this issue?
Click to expand...
I'm not sure if it fits in any of these... I'd say it's more critical than RPC or compilation issues because it's a network-wide one on p2p-level but less critical than IS because there is no financial risk or network split risk and it can't be exploited directly, it's more like slight network misconfiguration causing some network disagreements for a relatively sort period of time but still pretty annoying for developers who were trying to figure it out :)
 
@UdjinM6
- sounds like it is between P3 and P4. Here is the reward scale in USD:

P1 $5,000 - $10,000
P2 $1,000 - $5,000
P3 $500 - $1000
P4 $100 - $500

How does $500 sound?

I'm having difficulty reactivating my bitcointalk account. Can you contact @sidhujag and have him/her contact me here on Dash Forum? I just need a confirmed Dash address to send the reward. You will have to help confirm the address since anyone watching this conversation could impersonate @sidhujag.
 
jimbursch said:
@UdjinM6
- sounds like it is between P3 and P4. Here is the reward scale in USD:

P1 $5,000 - $10,000
P2 $1,000 - $5,000
P3 $500 - $1000
P4 $100 - $500

How does $500 sound?

I'm having difficulty reactivating my bitcointalk account. Can you contact @sidhujag and have him/her contact me here on Dash Forum? I just need a confirmed Dash address to send the reward. You will have to help confirm the address since anyone watching this conversation could impersonate @sidhujag.
Click to expand...
What is $? Make it 1 DASH :D
No problem. I contacted him and asked if he is interested in the first place. If yes, I'll send you his Dash address in PMs.
 
My apologies for the delayed update.

Since my last update we have paid out 4 bounties to researchers who have responsibly and discretely reported issues to us.

0.5 Dash was paid to a researcher who alerted us to a git repository that was publicly exposed on the dash.org domain, which could be hacked in a way that exposed credentials to access a MySQL database. This was a minor issue since the MySQL database in question did not contain sensitive information that was not salted/hashed. Nonetheless, it is concerning when credentials are exposed. Initially the researcher reported this issue through the Bugcrowd platform, which we received as information-only since the dash.org domain falls outside of the scope of the Bugcrowd program. The researcher followed up with additional information reported directly to the Core Team via email [email protected]. This led to closer examination of the issue and corrective action.

0.5 Dash was paid to a researcher who discovered a bug in a CRM package that was being used on the dash.org domain, which exposed a MySQL database. Like the above issue, this was minor because the no sensitive data could be obtained from the database. The CRM package has been disabled.

0.75 Dash was paid to a researcher who reported that we were running an out-of-date version of the Bamboo deployment server, which contained a vulnerability that could compromise Dash binaries. The solution was simply to update the server software.

The above bounties involved only support systems for the Dash Core Team, and did not involve the Dash protocol or wallet software.

On January 17th the Dash Copay wallet for Android, testnet, was added to the Bugcrowd bounty program. Initially the program is launched privately for invited, elite researchers with whom Bugcrowd has established relationships. Over the following weeks, more researchers are invited to the program until we decide to open the program to the public.

Today we paid a $700 bounty through the Bugcrowd platform to a researcher who reported that a function was left in debugging mode, which led to the private key being recorded in a log file upon wallet creation. Because it would be extremely difficult/almost impossible for an attacker to access the log, it was determined that this issue poses very low risk. Nonetheless, a private key should not be recorded in a log. The fix was simple.
 
Hello Dear @jimbursch ! My name is Zasinets Alexander. I are experts in the field of security and protection of sites from various threats. I found on your website threats. Please, if I will send the report on the security of your sites . You can pay my work to find threats to your website?
 
Last edited by a moderator:
Hi @BARADED

Thank you for your interest in helping to secure Dash!

There are a couple of different ways you can get involved and possibly earn a bounty payment.

- You can join the Bugcrowd platform and submit vulnerability reports here: https://bugcrowd.com/dashdigitalcash
- You can report vulnerabilities directly to the Core Team by email: [email protected]
- Or you are welcome to submit a report directly to me via private message on this forum.

Vulnerability reports are evaluated to determine their level of risk and bounties are paid out accordingly.
 
Hello Dash community

Here is an update on activities with the Dash Bug Bounty Program.

Since the last update we have paid out only one bounty:

1.0 Dash was paid to a researcher who reported a problem in Sentinel that could potentially be used to trip all masternodes into watchdog_expried status. This was given a low/medium priority because the probability of a successful attack was considered low due to validation checks in place. Nonetheless the problem warranted a code change and a bounty was paid to reward the researcher for reporting the issue. This issue was reported through private messaging on the Dash Forum.

In December of last year, when Dash was seeing record high prices, I decided that it would be a good opportunity to take advantage of the price to engage a PR firm to help promote the Dash Bug Bounty Program. Since Amanda Johnson was working with PMBC Group and they are located here in Los Angeles, and they accept Dash, I entered into a six-month engagement with them to promote the Dash Bug Bounty program, as well as other Dash-related activities. Here are some results of their work:

February 19, 2018: “School for Startups Radio” : DASH Cryptocurrency with Jim Bursch
February 21, 2018: Insurance Business America (168,100 monthly visitors): Virtual sheriffs in the wild, wild west of digital currency
February 25, 2018: Bitcoin Warrior (36,300 monthly visitors): Threat Profile: Knowing yours is the first step to improving online security
January 26, 2018: Rescue a CEO (CEO Blog Nation) (21,000 monthly visits): “ 14 Entrepreneurs Explain Best Industries To Start a Business in 2018
January 25, 2018: Digital LA: “Cryptocurrency Beyond Bitcoin: Ethereum, DASH, EOS, and new ICOs”.

This is proving to be a very good investment and we can expect to see a lot more coverage in the coming months.

Also due to the substantial increase in the value of Dash, I have decided that it is unwise for my Dash-related business activities be conducted as an individual, and that it would be wiser to engage in these activities under a corporation. To that end, I have created a Delaware C corp called FundChan Inc. and I have transferred all Dash-related assets to it. So, from a legal/business standpoint, the Dash Bug Bounty Program is now being operated on behalf of Dash by FundChan Inc.

Finally, I have received a proposal from Bugcrowd to extend our agreement with them for another year at a substantial discount, which is essentially an incentive to renew early, since our current agreement does not end until August. To take advantage of this proposal now, I would have to submit a Dash Budget proposal valued at approximately $100,000. I will start a discussion in the Pre + Budget Proposal forum to see if this is something the community would like to do.
 
After having a good talk with @QuantumExplorer , who now leads the mobile dev team for Dash Core, we are making some changes to our setup with Bugcrowd.

On the Bugcrowd platform, we can cover five applications (4 cash bounties, 1 free kudos-only). Originally my plan was to use those slots for Dash Core wallet, and three Copay wallets (Android, iOS, Windows). After my discussion with @QuantumExplorer , we have decided to allocate one slot to the Dash iOS wallet and one to the Dash Android (@HashEngineering) wallet. The free kudos-only slot is filled by Dash Messaging.

These changes will be going live soon. Since the Dash iOS and Android wallets are already live, these bounty programs will be launched to the public from the beginning (normally new additions are initially launched privately to invited researchers).

It should be noted that the Dash Bug Bounty program is not just limited to the apps we cover on the Bugcrowd platform. All Dash products and critical systems are covered by the Dash Bug Bounty program and we will pay a bounty for validated vulnerabilities that are reported discretely and responsibly. Reports can be made to Core Team directly using the email address: [email protected].
 
jimbursch said:
The Dash Bug Bounty Program with Bugcrowd now includes the Dash iOS wallet and the Dash Android (@HashEngineering) wallet. You can view the program brief here:
https://bugcrowd.com/dashdigitalcash

The bounty program for the Dash Copay wallet has been paused temporarily.
Click to expand...


Dash Wallet
Have your Dash always with you, in your pocket! You pay by quickly scanning a QR code. As a merchant, you receive payments reliably and instantly. Dash Wallet is the first mobile Dash app.

Access:
iOS: Here
Android: Here
Click to expand...

The url of the android wallet you gave us, is invalid. Does this count as a bug? :p
 
You must log in or register to reply here.
Back
Top