BUG BOUNTY PROPOSAL
May 5th 2018
With growing adoption (and value) of PIVX, a dedicated bug bounty program and reporting process to handle security related events is mandatory. Issues like the recently discovered zerocoin vulnerability have the potential to put user’s funds at risk.
The PIVX team and core community is committed to do everything they can to reduce the overall risk. This proposal is meant act as foundation for planning and getting a process for professional & effective vulnerability handling established asap.
This effort is directly related to the original bug bounty proposal:
Why a PIVX Security Bug Bounty program?
- External bug hunters have a different view. There can never be too many eyes involved in reviewing a codebase for security bugs
- There is no such thing as bulletproof code. We need reviews in regular intervals to make sure the codebase is sound
- Privacy is our top priority and this should be reflected in all areas of our work. The reputation and other losses in case of a severe vulnerability can’t be overestimated
- Many big companies have run bug bounty programs for years with proven success
Professional Bug Bounty Providers
Since PIVX is a community project with decentralized governance, we should get a professional partner to handle some of the work to get us started and provide the initial infrastructure. This money will be well spent and give us extra benefits like 24x7 response handling and pre-evaluation of reports to save precious developer time.
Looking at the current market for bug bounty providers, we considered two programs that clearly did shine out:
Evaluation winner - HackerOne
After the initial independent research, some calls and platform demos were conducted. Bugcrowd’s performance wasn’t convincing at all, while HackerOne was always available from day one for questions. The interface and capabilities of the h1 platform are exactly what PIVX needs to get started fast and efficient.
We did also look into what other companies do with the h1 platform. The best bounty campaign we found by far is the Twitter one at https://hackerone.com/twitter.
The prices are certainly not cheap. On the other hand, the platform does everything really well and we can go with the un-managed, cheaper option after getting started (after the 1st year). Fees are assessed annually and include access to their expert team that will help us with the initial kickstart and continuous improvements of the bounty program.
PIVX bug bounty panel
PIVX will form a panel consisting of project members that will develop details of the process and ultimately decide what/if the author of a vulnerability submission is paid according to the rules as soon as the program has launched.
Ideally, such a team consists of core developers, community members and external advisors.
Bug Bounty Scope
In general, the scope of the bug bounty program should revolve around the PIVX core implementation. Additionally, we could expand the program to explicitly include security improvements. I actually recommend that since it attracts people that "prefer to build" things instead of "only breaking" things.
First set of examples for the scope:
- Security weaknesses / attacks on the PoS algorithm
- Security weaknesses / attacks on the PIVX zPIV implementation
- Consensus attacks
- Global DoS attacks
- Node DoS attacks
- Cryptographic primitives eg zerocoin
- Security weaknesses in the PIVX Website
- Security weaknesses in any official PIVX apps
Bug Bounty Parameters
Inspired by Ethereum’s & Github’s bug bounty programs:
- Submissions must not be publicly disclosed before evaluation and payment
- Contact us first to allow us to fix any vulnerability found
- Submit any questions or vulnerabilities found to [email protected] (encrypted ofc)
- Reward goes to the first to report critical vulnerabilities found. Issues that have already been submitted by another user or are already known to the PIVX team are not eligible for bounty rewards
- Public disclosure of a vulnerability makes it ineligible for a bounty
- Don’t use the PIVX mainnet for bug hunting. Create a dedicated testnet (instructions will be provided to do so)
- The PIVX core development team is not eligible for rewards
- The PIVX homepage and infrastructure are NOT part of the bounty program
- PIVX bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the PIVX bug bounty panel
- The value of rewards paid out will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood
This proposal will request 2500 PIV a month to fund the Pool for the Bug-Bounty Program as well as 500 PIV a month for Marsmensch Salary to Manage the program.
The Board Members will be as follows;
Marsmensch, Turtleflax, Veramis, Presstab, Mrs-X, Fuzzbawls and myself