NLNico
Nickel Bitcoiner
Nickel Bitcoiner
Posts: 10
Joined: Wed Sep 23, 2015 11:43 am

Donate BTC of your choice to 1Fcn7M1AjgA9RFPm59RqiTCCD6tKKS5vN9

Contact: Website

Security bounties?

Wed Oct 28, 2015 8:15 am

Hi,

Bitcointalk/theymos always put a high priority on security/privacy and even has security bounties which are almost equivalent of PP/FB. I think that is important considering a lot of (prominent) bitcoin users hang out on a place like such forum.

My question: does bitcoin.com offer bounties for security vulnerabilities too? (on either the site/forum/wiki/etc?) If so: what kind of reward can one think of? And last, but not least, who to contact in such situation?

Basically I suggest for some clarity about that and potentially an "official" bug bounty program to ensure the security of the site.

Regards,
Nico

User avatar
avgeca
Nickel Bitcoiner
Nickel Bitcoiner
Posts: 23
Joined: Thu Sep 24, 2015 6:09 pm
Contact: Website

Re: Security bounties?

Wed Oct 28, 2015 11:57 am

I second that proposal!
Why Monero is the future for DNM - Privacy matters - protect yourself!

NLNico
Nickel Bitcoiner
Nickel Bitcoiner
Posts: 10
Joined: Wed Sep 23, 2015 11:43 am

Donate BTC of your choice to 1Fcn7M1AjgA9RFPm59RqiTCCD6tKKS5vN9

Contact: Website

Re: Security bounties?

Fri Oct 30, 2015 3:22 pm

:)

Hope Roger and/or admin can reply to this. I am really curious who to contact if I find a security vulnerability and if I can expect some reward for it.. Thanks.

User avatar
BitcoinXio
Nickel Bitcoiner
Nickel Bitcoiner
Posts: 167
Joined: Mon Sep 21, 2015 4:12 pm
Contact: Website

Re: Security bounties?

Fri Oct 30, 2015 3:44 pm

I can't speak for the admins, but I am all for this idea. If the admins want to help crowd-fund a security bounty and put up a bitcoin address (multisig maybe?), I will contribute some bitcoins to the address to help fund it.

User avatar
LiteCoinGuy
Gold Bitcoiner
Gold Bitcoiner
Posts: 2505
Joined: Mon Sep 21, 2015 9:00 am

Donate BTC of your choice to 1Dbo5TtxG9cWoyw49GM8vbD7HgQhr1KVi6

Re: Security bounties?

Sat Oct 31, 2015 8:31 pm

i like this idea and support it :!:
********************************************
More informations about Bitcoin and scaling BTC on

bitcoin.org/en/

https://bitcoincore.org/en/2015/12/23/c ... reases-faq

&
reddit.com/r/Bitcoin/

User avatar
rogerver
Founder
Founder
Posts: 1866
Joined: Thu Sep 10, 2015 6:55 am

Donate BTC of your choice to 1PpmSbUghyhgbzsDevqv1cxxx8cB2kZCdP

Contact: Website Twitter

Re: Security bounties?

Wed Nov 04, 2015 5:04 am

I'm not a security expert.
Should I just clone the exact same reward structure from Bitcointalk.org ?
Help spread Bitcoin by linking to everything mentioned here:
topic7039.html

NLNico
Nickel Bitcoiner
Nickel Bitcoiner
Posts: 10
Joined: Wed Sep 23, 2015 11:43 am

Donate BTC of your choice to 1Fcn7M1AjgA9RFPm59RqiTCCD6tKKS5vN9

Contact: Website

Re: Security bounties?

Wed Nov 04, 2015 7:10 am

As a security researcher, I would like that.. since theymos made them pretty high :x ;)



It's important to realize bitcointalk uses XAU, which means currently it ranges between 0.255 and 25.5 BTC depending on severity. I have to be honest that this is pretty big and smaller rewards seems fair to me too (especially since bitcoin.com is just starting and therefore the impact of a security bug would be realistically smaller.)


To give some other examples of bug bounty programs..

blockchain.info uses:
High: $1,600+ (would be the levels: Root, Arbitrary DB writing, Obtaining arbitrary PMs or password hashes on btctalk)
Medium: $400 (would be Persistent script injection and some CSRF/non-persistent XSS probably)
Low: $100 (lower impact, realistically barely/no "damage")

bitgo uses:
High: $1,000+ (do note they always say "+", if you find something to steal all their bitcoins obviously they will reward much more)
Medium: $250
Low: $100

LocalBitcoins uses:
High: $1,000+
Medium: $300
Low: $50

etc.


So I don't think it has to be as specific as bitcointalk (although I do appreciate that transparency from theymos - if you report a bug you know in advance exactly how much it will be) and probably more like the 3 other examples. Still in the background you would probably rate the severity somewhat like bitcointalk (since it's also a forum with same security priorities like keeping password-hashes and PMs safe.)

Either way just stating you have a bug bounty at all, ranging from $x to $x for real security vulnerabilities will be a start :) (with some contact info, and potentially some "rules"/"out-of-scope" like all examples have.) Normally the security researcher who reports it, should tell you why it is an important bug to fix too. And then you can probably discuss the real severity/impact with your developers to come up with a bounty for it. (Only important that your developers realize that although most bugs take seconds/minutes to fix, rewards should not be based on that but on severity/impact.)




Ps, I will just start searching through the phpBB source now since you seem to be interested in at least giving some reward and I enjoy searching stuff like this :) If I do happen to find something.. should I contact you, rogerver?

Return to “The Suggestion Box”

Who is online

Users browsing this forum: No registered users and 0 guests