Pre-Proposal: Dash Bug Bounty Program by BugCrowd

[jimbursch]

<EDIT> This proposal has been submitted:
https://www.dashcentral.org/p/Dash-Bug-Bounty-Program-by-BugCrowd

Manually vote on this proposal (DashCore - Tools - Debugconsole):
gobject vote-many 76bd96f8c83b16ef06c4cf2527501d97f7c34762ad0fd2e47cedcd754f193522 funding yes

The amount of the proposal has been changed from pre-proposal to proposal due to USD exchange rate change.
</EDIT>


Pre-Proposal: Dash Bug Bounty Program by BugCrowd

Dash can and should have the best funded bug bounty program of all crypto currencies. With a robust bug bounty program, Dash can rightly make the following claims:

• Dash code is the most secure because we offer the highest bounties to skilled developers to review infrastructure code.
• Dash is the safest because hackers (white/gray/black) are incentivized to disclose hacks in a manner that is safe and discrete, instead of exploiting or selling hacks.

BugCrowd (https://bugcrowd.com) is the leader in crowdsourced security testing and will connect Dash to a crowd of tens of thousands of security researchers to identify critical software vulnerabilities. With a fully-managed program, Dash can harness the expertise of BugCrowd to manage the Dash bounty program in the safest, most secure and efficient manner.

3 monthly 300-Dash payments (900 Dash total)

This is a proposal for 900 Dash in 3 monthly payments (300 Dash/month $54k at $180 USD/Dash) to establish a fully-managed bug bounty program with BugCrowd for one year, which will be in place through the launch of Evolution.

DashBudgetWatch will manage the relationship with BugCrowd over the course of the year on behalf of Dash. Jim Bursch (@jimbursch), the director of DashBudgetWatch, will coordinate the bug bounty program with the Core Team to ensure that any vulnerabilities are safely reported and addressed.

This proposal includes the following items:

• BugCrowd management fee for 5 Dash applications for 1 year
• Reward pool (bounties fund)
• BugCrowd Crowdcontrol Platform (triage, researcher matching, validation, payout)
• DashBudgetWatch management fee (includes proposal fee)
• Prudent reserve (funds set aside to mitigate Dash/USD exchange risk)

BugCrowd and DashBudgetWatch will issue detailed monthly reports of program activity. Where necessary, private reports will be given to the Core Team about any critical vulnerabilities that may be discovered.

About BugCrowd

Philip Da Silva is the representative from BugCrowd who is handling the Dash account. He will be available on this forum to answer any questions about BugCrowd.

About DashBudgetWatch

DashBudgetWatch (https://fundchan.com/dashbudgetwatch) is a project of @jimbursch, who has been an active member of the Dash community for several months. He founded the Los Angeles Dash Users Group and developed the Simple Dash Invoice (https://github.com/jimbursch/simple-dash-invoice). He is also the founder/developer of FundChan.com: funded channel messaging, which is denominated exclusively in Dash.

Addendum

Added 2017/06/21 -- Any unused funds left over after 1 year will be rolled into an extension of the program, possibly for another year, or barring extension of the program, will be donated to an appropriate outlet selected by the Dash community.

Added 2017/06/21 -- It will be made clear to BugCrowd that testing of exploits on the mainnet is prohibited by this program.

Added 2017/06/26 -- In response to a concern raised by the PEC, DashBudgetWatch and Jim Bursch will not be acting as an information escrow. The Core Team will have direct access to the BugCrowd platform and it is our goal to integrate BugCrowd with the Jira issue-tracking system utilized by the Core Team.

 

[jimbursch]

I have corresponded with both Ryan Taylor and Andy Freer of the Core Team and they have expressed support for a Dash bug bounty program and will cooperate with the program to address any vulnerabilities or bugs that are discovered.

 

[AndyDark]

I have corresponded with both Ryan Taylor and Andy Freer of the Core Team and they have expressed support for a Dash bug bounty program and will cooperate with the program to address any vulnerabilities or bugs that are discovered.

Hi there,

I can confirm that i've corresponded with Jim. Without commenting on the specifics of this particular proposal, the Core devs believe incentivizing finding of bugs will result in fixing more bugs and get more devs involved, and we're happy to cooperate with any bug-bounty program in which the details are well specified regarding determining whether a bug is valid, severity of bug, and on what metric payouts would be made, and responsible disclosure is followed.

Best,
Andy Freer

 

[jimbursch]

Thanks @AndyDark!

in which the details are well specified regarding determining whether a bug is valid, severity of bug, and on what metric payouts would be made, and responsible disclosure is followed.

I'm going to have the BugCrowd reps address specifics of the program since they have much greater expertise than I. As you can see from the videos, they have a phenomenal platform and by utilizing their fully-managed program, we are able to tap in to their depth of experience.

 

[Philip da silva]

Hi,

My name is Philip Da Silva and I cover the Dash account. I'm happy to discuss Dash Bug Bounty Program in more details.

Before launching the program Bugcrowd will work with the Dash team on creating the Program Brief- Program Guidelines for the security researchers to follow. For examples, check out the Bugcrowd website "programs" page some public examples.

Bugcrowd’s Technical Operations Team (in-house Application Security Engineers) will handle all bug Triage and Validation. Any time a researcher submits a bug in the Dash Program, our Tech Ops team will take a look at the bug, make sure it’s valid, in scope, applicable, not a duplicate, assign a priority rating from P1 - P5 based on impact score, and the steps taken to reproduce the bug. Once our Tech Ops team has done their due diligence, we will send the bug to the Dash Development Team for confirmation and remediation.

Bugcrowd will provide Dash with our Vulnerability Rating Taxonomy which is a guideline for the researchers and Dash to follow on how to Prioritize Bugs based on Severity. I've attached our VRT for reference. Again, the VRT is a guideline that we provide our customers, but Dash has the ultimate authority to determine what you consider a P1 (business critical vulnerability) to a P5 (information bug).

Bugcrowd will also provide Dash with the Defensive Vulnerability Pricing Model which is another useful guideline for Dash to follow on Market Rate Prices for bugs.

Bugcrowd’s Customer Success Team will consult with Dash prior to launching the program to determine all program information for the researchers to follow. All this information will be included in the Dash Program Brief so the researchers have a guideline to follow when they begin to participate in the Dash Program.

The Dash Program will begin in Private, meaning it will not be advertised on the Bugcrowd website. Since the Dash Program will begin in Private, only security researchers from Bugcrowd’s Elite Private Tier will be invited to participate in the Dash Program.

Please let me know what other specific questions I can address!

 

[Philip da silva]

Attached please find the Bugcrowd Vulnerability Rating Taxonomy!

 

[tagawa]

Very good idea - I'm surprised it hasn't been proposed already.

Quick question: Have other bounty platforms been considered such as Open Bug Bounty or HackerOne? I'm not saying it's a bad choice, just making sure all options have been looked into.

 

[jimbursch]

I considered other platforms and looked closest at HackerOne and BugCrowd, and settled on BugCrowd because they were so responsive to my needs. As you can imagine, we are breaking new ground here and we need to work with a leading company that can be flexible and creative in dealing with the business issues that arise.

 

[tagawa]

Good to hear. Thanks for the quick reply @jimbursch.

 

[TheSingleton]

The hight cost was a bit of a turn-off but I guess you shouldn't be cheap when it comes to security and reliability so overall a Yes from me.

 

[jimbursch]

Depending on how you look at it, the high cost is also a feature, supporting the claim that Dash will have the best-funded bug bounty program in all crypto currency.

The biggest variable in the cost is the fund for bounties. If we don't find vulnerabilities, we save money, but if we do find vulnerabilities and get them fixed, we will be very glad we had the funds.

 

[martinf]

Thanks for putting together this pre-proposal. It will get my vote for sure.

 

[tagawa]

If we don't find vulnerabilities, we save money, but if we do find vulnerabilities and get them fixed, we will be very glad we had the funds.

That raises a good question about what would happen in the case of unused bounty. Would it be returned, earmarked for future use, or some other plan?

Sorry for so many questions but I figure they're likely to come up at the proposal stage anyway.

 

[jimbursch]

If at the end of a year of the program we have unused funds we will have several options. The most likely is that we will use the funds to continue the program. Dash development will continue, and so will the need for the bounty program to help maintain the security and safety of Dash.

 

[tagawa]

Makes sense - thank you.

 

[jimbursch]

Thank you! to our DashBudgetWatch backers who put up the funds for this proposal. It has been submitted here:
https://www.dashcentral.org/p/Dash-Bug-Bounty-Program-by-BugCrowd

For more about DashBudgetWatch, go here: https://fundchan.com/dashbudgetwatch

 

[AndyDark]

Hi There

Just to confirm that i've chatted with Jim and the core devs about this proposal and in it's current form on DashCentral the core devs are happy to collaborate as needed with the proposal if the network approves it.

Cheers
Andy

 

[jimbursch]

Thanks @AndyDark !

 

[Tallyho]

Proposal Evaluation Committee​

Edit: An updated report was posted on 27th June. Please see here for the latest PEC report https://www.dash.org/forum/threads/...-program-by-bugcrowd.15321/page-2#post-131211

Hi jimbursch,

Here is your first PEC Report.

Couple of notes:
• There is NO pass/failure mark. The percentage simply allows us to create a Prioritized List of Evaluated Proposals. The idea being that a MNO with very little time can concentrate on Proposals at the bottom of the list only. MNO’s with more time will obviously look at all proposals as per normal.
• The evaluation also enables the Evaluators to look for scammers etc and red-flag a proposal that is a possible danger to Dash. They have more time and tools to look for the tell-tale signs.
• How did the Evaluators decide on marks: PEC Evaluator Guidelines https://goo.gl/Futw1d
• MNO’s have been very lenient in the past. So even if you have, what you might consider a low mark, you might still pass the Vote
• Most Important: The evaluation is to give you an idea of where you can improve your proposal to have a better chance of earning MNO votes.

When you improve your proposal, please color all new material in red and don’t delete any word/sentence, but use strike through. This will make it easier for the evaluator to find changes, when she or he re-evaluates your improved proposal. The MNO’s will also so be interested to see what you changed to improve your proposal.

Since you were unlucky enough to submit your Pre-Proposal just as the PEC started, you had a handicap: You did not know the importance of the Dash Project Proposal Template https://goo.gl/m0jgfS . This Template was created some years ago by the MNO’s to get all the information that they need to make an informed decision. It is also the easiest way for you to earn extra marks. If your proposal did not cover a question in the Template – just put the Heading and answer in your detail doc. If your proposal does cover the question: Just put the Heading with the words: See original Proposal.
E.g.: Project Scope - Milestones and Schedule: See original Proposal.

We know this is a painful bureaucratic exercise, but once you’ve done your improvements for this 1st one, the next couple of improvements (maybe just one?) will be easy, and of course – you are bound to have more proposals in the future!

Good luck!

 

[jimbursch]

Thanks @Tallyho for your evaluation.

Re: costed breakdown -- The breakdown is subject to negotiation with BugCrowd, and I am not in position to make a final agreement until the proposal is funded. This is further complicated by the instability of Dash/USD price, which can swing radically in either direction over the 3-month payout period. I understand the need for transparency, but we also need flexibility to negotiate the best deal for Dash. My goal is to limit the BugCrowd management fee to 40% and the DashBudgetWatch fee to 5%, with the remainder to fund the bounties, but there are many variables that need to be factored. For example, the scope of the program may need to change with the launch of Evolution. All this requires flexibility.

Re: communication with Core Team -- details will be worked out as we ramp up the program, but you should know that I am in direct communication with Andy Freer, Core Team CTO and he has pledged cooperation and support if the proposal is passed. The BugCrowd platform will be able to integrate with the Jira issue tracking system used by the Core Team.

I hope this will pick up a few more points for the proposal!