[DISCUSS]: Security & Bug Bounty Programs or Solutions

I. Planning & Developing a Program

Developing a Bug Bounty Program, Selecting Internal or External Partners for Security Checks & Protecting / Acquiring Expertise - it is key to outline the objective, options, & optimal approach. The DAO should review and discuss the following approaches and consider. Starting with the definition of a Bug Bounty Program:

Definition:

A “bug” bounty program is a model outlined where software undergoes a series of security tests to identify a range of vulnerabilities in criticality, impact or scale. Computer experts report any bugs, vulnerabilities and exploits in the system.

The “bounty” refers to the reward offered to ethical (white-hat) hackers who discover bugs in a system to prevent unintended/unwanted application behaviors, or in the worst case, an unethical (black-hat) hacker from exploiting. Since bounty programs are common, hunters can make full-time incomes from bounties. In these programs, the business often sets the scope of work and the reward for each.

Contributors:

Advanced Users, Computer Programmers, Developers, Engineers, and Information Security Specialists, penetrate a network, protocol, program, application, or tool, to identify bugs.

Rewards:

Successful bug bounty hunters typically receive rewards in the form of tokens or fiat.

Participant Requirements:

  1. Recommended: Technical Information Security, development, engineering, or advanced UX knowledge and experience.

  2. Basic computer networking skills like DNS, TCP, IP addresses, Mac Addresses, OSI stack, etc.

  3. Understand programming languages:
    Front-end: Javascript, HTML, and CSS
    Back-end: Rust, Anchor, Python, GoLang, Java, C/C++, or other relevant PrgLang.

  4. Knowledge of web protocols like HTTP, HTTPS, FTP, SFTP, and TLS.

  5. Grasp security measures in web applications and the hacking techniques.

  6. Practice on vulnerable web applications and Damn Vulnerable Web Application

  7. Remain Active & Up-to-date with the trending vulnerabilities, in software & crypto.

II. Bug Bounty Benefits or Drawbacks

Pros:

  1. Simplicity: Finding bugs missed after intensive internal security dev & deployment processes.
  2. Focus: Realistic threat assessments & work via timing or via hard problem solving.
  3. Recruiting: Talent or expertise.
  4. Quantity: Detect more vulnerabilities at a reduced cost.
  5. Transparency: Opens ability for more awareness on security & attention

Cons:

  1. Basic: First External Bug Report (depending on size).
  2. Privacy: unless appropriately planned for inscope & out-of-scope scenarios.
  3. Morale: if rewards consistently paid more to external parties without supporting dedicated resource pressures.
  4. Quality: Detect more vulnerabilities at a reduced quality, potentially overlooking higher severity criticality vulnerabilities or bugs.
  5. Publicity: Any events that are publicized or provide details about vulnerabilities, reside in more entities hands and can be exploited.

III. Security Audit, Policies & Bounty Platforms

Corporate Policies & Bug Bounty Programs

Microsoft: MSRC https://msrc.microsoft.com/
MSRC Bounty Program: https://www.microsoft.com/en-us/msrc/bounty

Firebounty: https://firebounty.com
Corda R3: Vulnerability Disclosure Policy https://firebounty.com/18492-r3/

Blockchain Bug Bounty Programs

Solana Labs: https://github.com/solana-labs/solana/blob/master/SECURITY.md#bounty

Sec3 (prev. Soteria) - Solana Projects: https://www.sec3.dev/

Certik: https://www.certik.com/

Hackenproof: https://hackenproof.com
FTX: https://hackenproof.com/ftx/ftx-exchange

HackerOne: https://hackerone.com
OpenSea: https://hackerone.com/opensea
Discourse: https://hackerone.com/discourse

Immunefi: https://immunefi.com/severity-updated/
Bug Bounty Board: https://immunefi.com/explore/

Example - Solana Lido Bounty: https://immunefi.com/bounty/lidoforsolana/
Bug bounty platform for smart contracts and projects to protect them against catastrophic exploits by rewarding white hats who find bugs in the system. Rewards are distributed according to the level of the vulnerability exposed, with levels varying on a 5-point scale based on.

Trail of Bits: https://www.trailofbits.com

IV. Additional Research & Documentation

Additional Programs,Templates & Examples

NIST Bugs Framework Website: https://samate.nist.gov/BF

NIST Presentation (PDF): Industry Bug Bounty Implementation Lessons

Bug Crowd (Bounty List): https://www.bugcrowd.com/bug-bounty-list/

SuperTeam (Bounty: Port Finance): https://superteam.fun/bounties/port-finance-bug-bounty

NeoDyme (Bounty Response): https://blog.neodyme.io/posts/lending_disclosure/

3 Commas (Bounty Policy): https://3commas.io/bounty

KuCoin Exchange: (GoogleDocs :grin:) https://docs.google.com/forms/d/e/1FAIpQLSeIQ_s1zyk1KP82ijfHVASVjBhriZVT-dqKB22PYc0mqX1zIw/viewform

Twitter Thread::
https://twitter.com/Tree_of_Alpha/status/1495503787603148809

6 Likes

@Arximedis Great work on the research above, will take some time to add some more links to bounty programs on Solana and other chains.

For next steps we can start with some smaller tasks i.e

  1. Proper education within Grape so all our members and moderators understand the terminology used and have a easy reaction plan in place.

  2. Update our documentation to include a address and / or method to report critical vulnerabilities

  3. In addition to having a clear contact method, and delegating ownership over a specific email address to several members in the DAO which are trusted.

  4. Before we start classifying the different kind of attacks and which ones apply to Grape, a brief report comparing protocols on Solana and the impact of the threats can be used to determine the appropriate rewards. At mango they have classified the threats based on the Immunify classification system → Bug Bounty - Mango Markets

There is a need for a bigger program (permissionless) which can be used by any project on Solana and could apply to traditional businesses (not crypto native) where a researcher might want to remain anonymous. In this process the reputation of the researchers involved in discovering threats are extremely important so threats from researchers with high reputation would not be ignored, and DAO’s like Grape would be able to make sure they are rewarded and recognized.

Special thanks to Acammm from UXD for reaching out and sharing his concerns on the current state of bounties, which initiated this discussion to take action.

2 Likes

Thanks @BillysDiscord - I found this interesting and valuable for the community to be aware of, while searching for more information to help get the DAO aligned with what needs to be a collective decision.

Solana will benefit from our efforts.

1 Like

Thanks @Takisoul for sharing these examples:

Serum Bug Bounty Introducing The Serum Bug Bounty Program | by Project Serum | Medium
Serum Bug Bounty (Forum) Formalizing a Bug Bounty Program - Feedback - Project Serum Community

UXD Bug Bounty Bug Bounty - UXD Protocol