New Bug Bounty Proposal


#1

BUG BOUNTY PROPOSAL


Revision 0.3a
May 5th 2018
PIVX.org

Introduction


With growing adoption (and value) of PIVX, a dedicated bug bounty program and reporting process to handle security related events is mandatory. Issues like the recently discovered zerocoin vulnerability have the potential to put user’s funds at risk.

The PIVX team and core community is committed to do everything they can to reduce the overall risk. This proposal is meant act as foundation for planning and getting a process for professional & effective vulnerability handling established asap.

This effort is directly related to the original bug bounty proposal:
https://forum.pivx.org/t/bug-bounty-program/1993

Why a PIVX Security Bug Bounty program?


  • External bug hunters have a different view. There can never be too many eyes involved in reviewing a codebase for security bugs
  • There is no such thing as bulletproof code. We need reviews in regular intervals to make sure the codebase is sound
  • Privacy is our top priority and this should be reflected in all areas of our work. The reputation and other losses in case of a severe vulnerability can’t be overestimated
  • Many big companies have run bug bounty programs for years with proven success

Professional Bug Bounty Providers


Since PIVX is a community project with decentralized governance, we should get a professional partner to handle some of the work to get us started and provide the initial infrastructure. This money will be well spent and give us extra benefits like 24x7 response handling and pre-evaluation of reports to save precious developer time.

Looking at the current market for bug bounty providers, we considered two programs that clearly did shine out:

  • Bugcrowd
  • HackerOne

Evaluation winner - HackerOne


After the initial independent research, some calls and platform demos were conducted. Bugcrowd’s performance wasn’t convincing at all, while HackerOne was always available from day one for questions. The interface and capabilities of the h1 platform are exactly what PIVX needs to get started fast and efficient.

We did also look into what other companies do with the h1 platform. The best bounty campaign we found by far is the Twitter one at https://hackerone.com/twitter.

The prices are certainly not cheap. On the other hand, the platform does everything really well and we can go with the un-managed, cheaper option after getting started (after the 1st year). Fees are assessed annually and include access to their expert team that will help us with the initial kickstart and continuous improvements of the bounty program.

PIVX bug bounty panel


PIVX will form a panel consisting of project members that will develop details of the process and ultimately decide what/if the author of a vulnerability submission is paid according to the rules as soon as the program has launched.

Ideally, such a team consists of core developers, community members and external advisors.

Bug Bounty Scope


In general, the scope of the bug bounty program should revolve around the PIVX core implementation. Additionally, we could expand the program to explicitly include security improvements. I actually recommend that since it attracts people that "prefer to build" things instead of "only breaking" things.

First set of examples for the scope:

  • Security weaknesses / attacks on the PoS algorithm
  • Security weaknesses / attacks on the PIVX zPIV implementation
  • Consensus attacks
  • Global DoS attacks
  • Node DoS attacks
  • Cryptographic primitives eg zerocoin
  • Security weaknesses in the PIVX Website
  • Security weaknesses in any official PIVX apps

Bug Bounty Parameters


Inspired by Ethereum’s & Github’s bug bounty programs:

https://bounty.ethereum.org/
https://bounty.github.com/

Parameters


  • Submissions must not be publicly disclosed before evaluation and payment
  • Contact us first to allow us to fix any vulnerability found
  • Submit any questions or vulnerabilities found to [email protected] (encrypted ofc)
  • Reward goes to the first to report critical vulnerabilities found. Issues that have already been submitted by another user or are already known to the PIVX team are not eligible for bounty rewards
  • Public disclosure of a vulnerability makes it ineligible for a bounty
  • Don’t use the PIVX mainnet for bug hunting. Create a dedicated testnet (instructions will be provided to do so)
  • The PIVX core development team is not eligible for rewards
  • The PIVX homepage and infrastructure are NOT part of the bounty program
  • PIVX bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the PIVX bug bounty panel
  • The value of rewards paid out will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood

This proposal will request 2500 PIV a month to fund the Pool for the Bug-Bounty Program as well as 500 PIV a month for Marsmensch Salary to Manage the program.

The Board Members will be as follows;

Marsmensch, Turtleflax, Veramis, Presstab, Mrs-X, Fuzzbawls and myself

Vote Details

New-Bug-Bounty;

Hash = b6a64d196982ed6c9751ffe3eaef663877d352a004442bc6d2f95d2dc296faf6

To vote yes:

mnbudget vote-many b6a64d196982ed6c9751ffe3eaef663877d352a004442bc6d2f95d2dc296faf6 yes

To vote no:

mnbudget vote-many b6a64d196982ed6c9751ffe3eaef663877d352a004442bc6d2f95d2dc296faf6 no

To check status:

mnbudget getinfo New-Bug-Bounty

#2

In the previous bug bounty I discovered a compilation error/bug.
https://github.com/PIVX-Project/PIVX/issues/450
that was fixed


But nobody paid me a small tip (whatever it is) for my report.
Will you pay me now?
Who is responsible to pay (or refuse to pay) those who discover bugs/errors?


#3

I caution anyone against paying anything to the above individual as it will only encourage them to further inflict themselves upon this community. Look to their record on the Dash forum for the needless conflict they also engage in there. https://www.dash.org/forum/members/demo.5057/


#4

Can you please give an update of the funds collected, and where they have been spent so far?


#5

I discovered a tiny bug and helped the code of pivx to improve.
What this has to do with my profile in Dash?
How is this related to my beliefs?
I am here in this community a long time ago, and you just subscribed here.
Why believe you instead of me? Who are you?

By the way, they have tottaly banned my account from dashtalk now.
https://www.dash.org/forum/members/demo.5057/


#6

The bug Bounty program is for critical issues that effect the network and funds of the users such as exploits etc… @marsmensch will be over seeing the program. All bugs would have to be submitted to HackerOne and go through their program to be considered for payment.


#7

The only funds that have been spent were for the exploit that was sent to us for the recent modulus issue, and for the HackerOne program. All remaining funds are still held in the proposal address.


#8

Is it obligatory a bug recognition to pass through hackerone?
Have you set a maximum and a miniumum bug bounty?

Most companies have set a max and a min bug bounty, and some big companies have their own site of bug bounty, instead of trusting hackerone or bugcroud sites.
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/10-essential-bug-bounty-programs-2017/

  1. Apple
    Website: Invite-only
    Minimum Payout: No predetermined amount
    Maximum Payout: $200,000

  2. Facebook
    Website: https://www.facebook.com/whitehat
    Minimum Payout: $500
    Maximum Payout: No predetermined amount

  3. GitHub
    Website: https://bounty.github.com/
    Minimum Payout: $200
    Maximum Payout: $10,000

  4. Google
    Website: https://www.google.com/about/appsecurity/reward-program/
    Minimum Payout: $300
    Maximum Payout: $31,337

  5. Intel
    Website: https://security-center.intel.com/BugBountyProgram.aspx
    Minimum Payout: $500
    Maximum Payout: $30,000

  6. Microsoft
    Website: https://technet.microsoft.com/en-us/library/dn425036.aspx
    Minimum Payout: $500
    Maximum Payout: No pre-determined amount

  7. Pentagon
    Website: https://www.hackerone.com/resources/hack-the-pentagon
    Minimum Payout: $100
    Maximum Payout: $15,000

  8. Tor Project
    Website: https://hackerone.com/torproject
    Minimum Payout: $100
    Maximum Payout: $4,000

  9. Uber
    Website: https://hackerone.com/uber
    Minimum Payout: No predetermined amount
    Maximum Payout: $10,000

  10. WordPress
    Website: https://hackerone.com/wordpress
    Minimum Payout: $150
    Maximum Payout: No pre-determined amount

11 Dash
Website:https://bugcrowd.com/dashdigitalcash
Minimum Payout: $100
Maximum Payout: $10,000

12 PIVX
Website:?
Minimum Payout: ?
Maximum Payout: ?


#9

Dash does. @demo

“The Dash Bug Bounty Program pays up to $10,000 for a critical vulnerability. If we receive the report through the Bugcrowd platform, the bounty is paid in U.S. dollars through the platform. We may also receive reports outside of the platform via email or one of the Dash community channels. In those cases, we will pay bounties in Dash. Vulnerabilities have to be reported responsibly (discretely) and evaluated before a bounty is paid.”


May 20, 2018


#10

Hi everyone!

I just posted a medium post with all relevant details of the hackerone bug bounty program.

It’s live here:
https://medium.com/tales-from-the-crypt-o/pivx-h1-bug-bounty-program-public-launched-successfully-b30a29e292bb

Please note: We are still in private mode, public launch will be in a couple of days (asap).

Have a great day!