I. Planning & Developing a Program
Developing a Bug Bounty Program, Selecting Internal or External Partners for Security Checks & Protecting / Acquiring Expertise - it is key to outline the objective, options, & optimal approach. The DAO should review and discuss the following approaches and consider. Starting with the definition of a Bug Bounty Program:
A “bug” bounty program is a model outlined where software undergoes a series of security tests to identify a range of vulnerabilities in criticality, impact or scale. Computer experts report any bugs, vulnerabilities and exploits in the system.
The “bounty” refers to the reward offered to ethical (white-hat) hackers who discover bugs in a system to prevent unintended/unwanted application behaviors, or in the worst case, an unethical (black-hat) hacker from exploiting. Since bounty programs are common, hunters can make full-time incomes from bounties. In these programs, the business often sets the scope of work and the reward for each.
Advanced Users, Computer Programmers, Developers, Engineers, and Information Security Specialists, penetrate a network, protocol, program, application, or tool, to identify bugs.
Successful bug bounty hunters typically receive rewards in the form of tokens or fiat.
Recommended: Technical Information Security, development, engineering, or advanced UX knowledge and experience.
Basic computer networking skills like DNS, TCP, IP addresses, Mac Addresses, OSI stack, etc.
Understand programming languages:
Back-end: Rust, Anchor, Python, GoLang, Java, C/C++, or other relevant PrgLang.
Knowledge of web protocols like HTTP, HTTPS, FTP, SFTP, and TLS.
Grasp security measures in web applications and the hacking techniques.
Practice on vulnerable web applications and Damn Vulnerable Web Application
Remain Active & Up-to-date with the trending vulnerabilities, in software & crypto.
II. Bug Bounty Benefits or Drawbacks
- Simplicity: Finding bugs missed after intensive internal security dev & deployment processes.
- Focus: Realistic threat assessments & work via timing or via hard problem solving.
- Recruiting: Talent or expertise.
- Quantity: Detect more vulnerabilities at a reduced cost.
- Transparency: Opens ability for more awareness on security & attention
- Basic: First External Bug Report (depending on size).
- Privacy: unless appropriately planned for inscope & out-of-scope scenarios.
- Morale: if rewards consistently paid more to external parties without supporting dedicated resource pressures.
- Quality: Detect more vulnerabilities at a reduced quality, potentially overlooking higher severity criticality vulnerabilities or bugs.
- Publicity: Any events that are publicized or provide details about vulnerabilities, reside in more entities hands and can be exploited.
III. Security Audit, Policies & Bounty Platforms
Corporate Policies & Bug Bounty Programs
Microsoft: MSRC https://msrc.microsoft.com/
MSRC Bounty Program: https://www.microsoft.com/en-us/msrc/bounty
Corda R3: Vulnerability Disclosure Policy https://firebounty.com/18492-r3/
Blockchain Bug Bounty Programs
Solana Labs: https://github.com/solana-labs/solana/blob/master/SECURITY.md#bounty
Sec3 (prev. Soteria) - Solana Projects: https://www.sec3.dev/
Bug Bounty Board: https://immunefi.com/explore/
Example - Solana Lido Bounty: https://immunefi.com/bounty/lidoforsolana/
Bug bounty platform for smart contracts and projects to protect them against catastrophic exploits by rewarding white hats who find bugs in the system. Rewards are distributed according to the level of the vulnerability exposed, with levels varying on a 5-point scale based on.
Trail of Bits: https://www.trailofbits.com
IV. Additional Research & Documentation
Additional Programs,Templates & Examples
NIST Bugs Framework Website: https://samate.nist.gov/BF
NIST Presentation (PDF): Industry Bug Bounty Implementation Lessons
Bug Crowd (Bounty List): https://www.bugcrowd.com/bug-bounty-list/
SuperTeam (Bounty: Port Finance): https://superteam.fun/bounties/port-finance-bug-bounty
NeoDyme (Bounty Response): https://blog.neodyme.io/posts/lending_disclosure/
3 Commas (Bounty Policy): https://3commas.io/bounty
KuCoin Exchange: (GoogleDocs ) https://docs.google.com/forms/d/e/1FAIpQLSeIQ_s1zyk1KP82ijfHVASVjBhriZVT-dqKB22PYc0mqX1zIw/viewform