Pre-Proposal: Dash Bug Bounty Program by BugCrowd

jimbursch said:
Last week I signed the customer agreement with BugCrowd and this week they are working on opening an exchange account so that they can accept payment in Dash. Once we have made the first payment, we will be set up on the BugCrowd platform and we will be writing a bounty brief that defines the scope of the program and the parameters of bounty payouts, along the lines of their taxonomy of vulnerability rating:

https://www.dash.org/forum/attachments/bugcrowd-vulnerability-rating-taxonomy-pdf.4215/
Click to expand...

The taxonomy of bugcrowd is not applicable to the Dash purposes. The bugs of Dash should be discovered in the stable version of code that resides into github. They are logical bugs and design bugs, not server configuration bugs. ( I have already point to several logical and design bugs, for example the design choice to use an interpreted language in sentinel is a serious design bug).

Do not accept paying bugcrowd for "Server Security Misconfiguration" e.t.c.. Tell them that only if they discover bugs in the stable version that resides into github, this is acceptable. Whoever claims to be a Dash bug evaluator, should start by compiling the source code of Dash, then discover bugs related to the code.

The real testers are people who read the code and discover bugs that way, not the ones who perform a million automatic tests and discover bugs based in pure chance. Whoever is unable to read the code, cannot be named a real tester. Instead of paying the stupid test monkeys better buy the automatic test software they are using. Please pay only the real testers. I hope that @flare and @UdjinM6 agree with that.

 
Last edited:
Thanks @demo -- I'll make sure your points are included in the bounty brief.

The first application that will be included in the program is the "protocol" as defined here:
https://github.com/dashpay/dash

The next application will probably be the Copay wallet when it is released. We can add several more applications, as the budget allows.
 
Hello @jimbursch

I just wanted to say thank you for taking up this idea and working in this direction. I believe that this is one of the important points for the full-fledged growth of the project. Good luck to you and everyone who is involved and leads Dash to success.
 
jimbursch said:
Thanks @demo -- I'll make sure your points are included in the bounty brief.

The first application that will be included in the program is the "protocol" as defined here:
https://github.com/dashpay/dash
Click to expand...

Ok.
When bugs are discovered by BugCrowd, and before pay them, post the bug (timestamped and signed by Bugcrowd's digital signature) here in this forum thread and in github's issues page.

This is because some serious (mostly design and protocol) bugs and deficiencies (for example: the veritas team, separate the vote layer, randomness in mn payee e.t.c.) are already reported in the forum and in github issues, so it is not appopriate to pay people for known bugs and deficiencies.
Only in case there is no one which can prove that the BugCrowd discovered bug is not an original one, you should pay BugCrowd.
I hope that @flare and @UdjinM6 agree with that.
 
demo said:
Ok.
When bugs are discovered by BugCrowd, and before pay them, post the bug (timestamped and signed by Bugcrowd's digital signature) here in this forum thread and in github's issues page.

This is because some serious (mostly design and protocol) bugs and deficiencies (for example: the veritas team, separate the vote layer, randomness in mn payee e.t.c.) are already reported in the forum and in github issues, so it is not appopriate to pay people for known bugs and deficiencies.
Only in case there is no one which can prove that the BugCrowd discovered bug is not an original one, you should pay BugCrowd.
I hope that @flare and @UdjinM6 agree with that.
Click to expand...

we can even put the copy of know bugs on dash blockchain so that there is no confusion absolutely
 
Dashmaximalist said:
we can even put the copy of know bugs on dash blockchain so that there is no confusion absolutely
Click to expand...

Not all the reported bugs are considered as bugs by the core team.

For example the randomness in mn payee selection is not considered by the core team as a known bug. Let the Bugcrowd company investigate freely and without any hints, and if they come here with a bug related to mn payee selection caused by a hacked /dev/random device, then it will be hard for the core team to deny the bug, once again.

We trust nobody. This is the motto, isnt it?

Dont trust the core team to give a list of known bugs to the bugcrowd company. They may add or delete some bugs from the list, they may also generalize some known bugs, for their own benefit (which is, a small amount of bugs to be discovered).

Let bugcrowd to investigate with a clear and objective mind, without hints or tips. And if they discover a bug already reported in the forum or in github which the core team denied its existence, then this will be a minus point for the core team.

I hope that @flare and @UdjinM6 agree with that.
 
Last edited:
alex9 said:
I just wanted to say thank you for taking up this idea and working in this direction.
Click to expand...

Or maybe @jimbursch took up the below idea (which is similar but older than yours), and worked in the same direction.

demo said:
Those executables may (or may not) are infected with PWS trojans, but the trolls never ask an independent tester to check them, neither they want a relevant testing proposal to pass from the budget system. They prefer to pay the marketeers to fill the internet with garbage-info about how great dash is, so that the dash deficiencies to never being heard by the masses.

But this is not the correct way for a digital cash that wants to survive in the future to evolve. The correct way is to pay an anti-core team, a team that will have the mission to attack the core team and reveal all their wrongs and errors.
Click to expand...

Me too, I want to say thank you to @jimbursch, for convincing the stupid MNOs towards the necessity of an independent tester.
 
Last edited:
demo said:
Not all the reported bugs are considered as bugs by the core team.

For example the randomness in mn payee selection is not considered by the core team as a known bug.
...
Click to expand...
There is no such bug or vulnerability in mn payee selection you are trying to push because it does not use randomness in the way you think it does. I already answered this concern in the thread you linked to but you fail to listen and/or read the actual code. For whatever reason you are still looking for an answer where you expect it to be and not where it actually is and where I pointed you to. And as a result, you are making wrong assumptions, basically.

I do agree that we should not pay for "discovery" of known issues/bugs (unless it also comes with a great solution for such a problem).
 
UdjinM6 said:
it does not use randomness in the way you think it does.
Click to expand...
So If I compile and install a masternode in my own machine, the dash code does not use the /dev/random device for the masternodes payee selection? Then what kind of randomness does it uses? Is it a network randomness? Do all the masternodes decide together what truly random is? And where is the appropriate code for it?

You are not obliged to answer of course. If you do not answer, but you insist in your position, it is maybe something I dont understand. I advice the ignorants not to trust me, but rather trust @UdjinM6. He is probably right. But I will insist in my position, until I understand my error.

demo said:
UdjinM6 said:
@dark_wanderer If it was 10 days already then dashd (12.0) could see it as "never paid" even if it was before but that's ok, it means that you are in top 10% from which MNs are picked randomly so just keep your mn online do NOT restart it via masternode start-* commands and it should be paid eventually. If you restart, it will be brought to the end of the queue and you'll have to wait 7+ days to get into that top 10% again.
Click to expand...
Where is this randomness in the code, if not into the FindRandomNotInVec ?
Click to expand...
https://github.com/dashpay/dash/blo...f3034197e94f1a18ff/src/masternodeman.cpp#L550
https://github.com/dashpay/dash/blob/master/src/masternodeman.cpp#L632
Code: 
   InsecureRand insecureRand;
    // shuffle pointers
    std::random_shuffle(vpMasternodesShuffled.begin(), vpMasternodesShuffled.end(), insecureRand);
bool fExclude;

Isnt std::random_shuffle a call to my local machine?
What if I compile std::random_shuffle (or its dependencies and its dynamically linked libraries) in a way it does not behave as random as you expect it does? How the rest masternodes discover a masternode which hacked his own local randomness?
 
Last edited:
demo said:
So If I compile and install a masternode in my own machine, the dash code does not use the /dev/random device for the masternodes payee selection? Then what kind of randomness does it uses? Is it a network randomness? Do all the masternodes decide together what truly random is? And where is the appropriate code for it?

You are not obliged to answer of course. If you do not answer, but you insist in your position, it is maybe something I dont understand. I advice the ignorants not to trust me, but rather trust @UdjinM6. He is probably right. But I will insist in my position, until I understand my error.


https://github.com/dashpay/dash/blo...f3034197e94f1a18ff/src/masternodeman.cpp#L550
https://github.com/dashpay/dash/blob/master/src/masternodeman.cpp#L632
Code: 
   InsecureRand insecureRand;
    // shuffle pointers
    std::random_shuffle(vpMasternodesShuffled.begin(), vpMasternodesShuffled.end(), insecureRand);
bool fExclude;

Isnt std::random_shuffle a call to my local machine?
What if I compile std::random_shuffle in a way it does not behave as random as you expect it does?
Click to expand...
Once again: https://www.dash.org/forum/threads/...masternode-monitoring.2722/page-6#post-109861
The code: https://github.com/dashpay/dash/blob/master/src/masternodeman.cpp#L550-L612
tl;dr version: it doesn't use any system random functions, instead it uses hashing of some data which is known by everyone (the data is a block hash, which is random-ish and can't be gamed, and mn outpoint) to produce deterministic output ("score") and to select next payee based on that.
 
UdjinM6 said:
tl;dr version: it doesn't use any system random functions, instead it uses hashing of some data which is known by everyone (the data is a block hash, which is random-ish and can't be gamed, and mn outpoint) to produce deterministic output ("score") and to select next payee based on that.
Click to expand...

I am trying to understand what you said, and how this is translated into the code. If it doesnt use any system random functions, then it is ok and you are right.

I will investigate whatever system random functions you may use into the code (if any), and how these functions (if hacked in the system) can affect code's behavior. Thanks for the hints and for the clarifications you gave to me . I always appreciate a code related talk with you.
 
Last edited:
Bugcrowd has received payment so we are now proceeding with the initial setup of the program. For the first month or so the program will be private, open only to Bugcrowd's best vetted researchers. This will give us a chance to work out any bugs with the bug program ahead of going public. I will, however, keep the community informed as we go along.

If you would like to get an idea of what the program will look like, you can see other Bugcrowd programs here:
https://bugcrowd.com/programs

These are the most relevant to Dash:

https://bugcrowd.com/mastercard
https://bugcrowd.com/circle
https://bugcrowd.com/westernunion
https://bugcrowd.com/simple
https://bugcrowd.com/card
 
In light of the ethereum bug i think some sort of bounty program has to be very significant. The reward for a wallet draining bug is millions, although "illegal" and you have to cover your tracks. Too significant and you end up making the coin worthless. A bounty of a million for a qualified unexploited repair might gather true attention. I think the same bug bounty program could be used as a insurance of last resort as if the exploit is preferred over the bounty then that money is now fairly useless. Obviously the rules for payout have to be very well laid out and all precautions taken.

It will be interesting to see what happens with the ethereum ico's. If anyone will bother to save them.
 
Last edited:
If anyone would like to see a preview of what the private Dash Bug Bounty program will look like, PM me and I will send you a link.

If anyone has any questions, please don't hesitate to ask here.
 
 
You must log in or register to reply here.
Back
Top