Hey everybody!
A couple months ago, while working with the BitShares UI/app team in my spare time, I realized that we don't have a formalized method or proper incentives for hackers to report serious vulnerabilities.!
If a security researcher/hacker found a critical bug in the DEX, they might be tempted to exploit the bug, and attempt to steal funds from unsuspecting users. Without a public bug bounty system, hackers do not have an obvious path of disclosure for reporting their findings. They also do not have any incentive to share their exploits and techniques, rather than using them for personal gain.
With this proposal, I'd like to start a BitShares bug bounty program for security researchers and penetration testers (...aka hackers!) to disclose important security vulnerabilities they find within the BitShares core protocol, reference wallet, and related code repositories.
The proposal will use allocated funds to reward those that step forward with exploits, relative to the overall risk assessment of the exploit. The higher the payout for critical bugs, the more incentive there will be to attract higher quality researchers, and ultimately providing better security coverage for the DEX.
Funds will also be used to build and maintain a website (https://hackthedex.io/) for reporting vulnerabilities. The website will include all the information needed for researchers to report a vulnerability, as well as an archive of bounty reports and a leaderboard to encourage a little friendly hacker competition. It will also lay the groundwork for future HackTheDEX worker proposals to improve the security and safety of BitShares as a whole.
Thanks to coordination with the foundation, worker proposal funds will be held in a BBF escrow account and unused funds will be refunded back to the network at the end of the proposal period.
For your consideration: https://www.bitshares.foundation/workers/2018-07-hackthedex
Thanks!
-- Matt
Yes! I was just thinking about exactly how safe is bitshares/graphene etc? Of course, really safe, but within every system there are exploits... just a matter of finding them haha. Some may never be found, some may be virtually impossible to produce etc... but yeah, this sort of incentive is a good thing to have! Fully support this!
Thanks!
It'd be great if hackers didn't find any critical issues at all, so the majority of the budget could be returned to the reserve pool. The greatest immediate benefit is that we have a designated communications channel for reporting and incentivizing ethical hackers.
Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://www.hackthedex.io/
Why, thank you, kind @cheetah, for linking to my own website. Keep doing you.