As a successful open source digital currency project Dash has the responsibility to be very secure. While perfection is impossible trying very hard is important. There are a number of high profile “bugs” that have impacted investors in crypto – from the “August 2010 – Bitcoin protocol hack, 184 billion Bitcoins created” to “smart contract” bugs in ETH that involved many millions of dollars.
One very useful proposal funded by the Dash Treasury is a contract with Bugcrowd to point their “researchers” at Dash for the next year. This program funds a large crowd of white hat hackers to review the Dash codebase for any bugs. You can visit the bugcrowd website and get involved.
Dash Bug Bounty Program ongoing status thread on Dash forum
I interviewed Jim Bursch the proposal owner about the project.
Can you explain how you came up with the idea? Have you worked with a program like this before?
As a web developer who works with crypto currency on my own project Dash Messaging I am constantly aware, and a little paranoid, about application security. Every project in this space benefits when more developers are looking at code from different perspectives, and a bug bounty program is a great way to incentive developers to hack at code in a responsible manner.
Because Dash has this unique funding mechanism (the budget system), it only made sense that it should have a good bug bounty program. I didn’t have any direct experience with bounty programs when I came up with the idea, so I had to do some research before I submitted the proposal. Quickly I learned that it is not a simple matter of just announcing that you will pay bounties for bugs. Systems have to be established to communicate with hackers, establish the scope of the program, triage reports that are submitted, evaluate the priority and severity of a bug or vulnerability, and tie in a payment system.
My research led me to a couple of leading companies that have established platforms for running successful bounty programs, one of them being Bugcrowd.
What did it take to pick the vendors and figure out how to make vendor and Dash expectations mesh into a viable project?
Since we are dealing with entirely new concepts and organization (crypto and DAOs), I needed a vendor who was flexible and forward-thinking. On principle I believed that the vendor should be paid in Dash, not a fiat currency such as USD. Dash is a currency, so we should use it as a currency. This was a little problematic for some of the vendors, who had to review this with their accounting and legal departments. Bugcrowd’s attitude from the beginning was that this would not be a problem; we could figure out how to make it work.
Can you briefly explain how the process works – who are the bug testers? I saw you had good support from Andy Freer (Dash CTO) – which only makes sense.
Bugcrowd has an established relationship with thousands of hackers/researchers, simply by virtue of the fact that they have run hundreds of bounty programs over the years. They have an online platform where registered hackers can submit bug/vulnerability reports, where I as the client have complete visibility into the entire process. Since we are running a fully-managed program with Bugcrowd, all reports are reviewed by the Bugcrowd engineering team to determine severity and priority. To give you an idea of what that is like, take a look at their Vulnerability Rating Taxonomy.
After a report has been triaged by a Bugcrowd engineer and given a P1-P5 rating, I then review the report and make a final determination about the bounty payout. I also pass the report along directly to a member of the Core team, and also add it to GitHub issues if it is something that is safe to publicly disclose.
We have also made bounty payments outside of the Bugcrowd platform. For example, we made bug bounty payments to the two developers who discovered the bug that led to the temporary disabling of InstantSend.
Now that it is up and running what do you see as the value to Dash – is there anything “surprising” ?
The Dash Bug Bounty program is very valuable and well worth the funding. It is a very useful tool to garner the good will of the developer/hacker community. We can afford to be generous in handing out bounties that are well deserved. When the Dash Copay wallet is launched, it will be included in the Dash Bug Bounty program, which will contribute to the sense of security users can have when using the wallet. These days, anything that improves safety, security, and privacy is very valuable.
How did you structure the financial side of this?
I have never personally converted Dash to USD or any other fiat. If somebody wants to do business with me, it has to be in Dash. Otherwise, what’s the point of Dash? With Bugcrowd, I recommended that they open an exchange account with Kraken, and I submitted payment in Dash to their Kraken account, which they then exchanged to USD and credited to the Dash Bug Bounty program account on their books.
This is definitely a gray area when it comes to accounting and taxation, simply because all this is entirely new. That’s understandable. This is why my proposal included a 20% padding for exchange rate risk — to deal with these issues if/when they come up.
Personally, it bothers me when I see other proposal owners talk about exchanging Dash and making wire payments to vendors. Those vendors are the ones who need to get on board with Dash if they are providing services to Dash. If they want our money, they should take our money — in Dash.
Some information on your background?
I am a php/mysql developer who has been working for over 10 years on what is now Dash Messaging. I first got into Bitcoin when it was $100, and switched to Dash when it was $50. I am located in Los Angeles.
How you first got into crypto then Dash?
I learned about Bitcoin from NPR’s Planet Money podcast and recognized it as a solution to my need for a payment system that respects privacy. I switched to Dash when Bitcoin confirmation times and fees were going up, rendering it useless as a payment solution. Dash isn’t quite ready for prime time as a payment system, but it is on the right track and will get there very soon.
Jim says it best in his proposal:
Dash can and should have the best funded bug bounty program of all crypto currencies. With a robust bug bounty program, Dash can rightly make the following claims:
- Dash code is the most secure because we offer the highest bounties to skilled developers to review infrastructure code.
- Dash is the safest because hackers (white/gray/black) are incentivized to disclose hacks in a manner that is safe and discrete, instead of exploiting or selling hacks.