BUIP026: Bounties for Software Exploits
Proposed by Tim Potter
Supported by Andrew Clifford
Background
Bitcoin Unlimited must produce exceptionally reliable code.
The goal of this proposal is to fund a bounty purse that mimics both the corrective mechanisms and also the high reliability of DNA synthesis by incentivizing the entire community of open source code contributors to search for nuggets.
An example of high precision high reliability code in nature is DNA. The overall error rate is 10^-10 errors per base pair. The error rate of DNA synthesis is 10^-8, but this error rate is corrected with multiple corrective mechanisms that eventually bring the error rate down to 10^-10.
Solution
This BUIP proposes an additional tier of code review that is beyond what any development team could reasonably accomplish on its own by adding a simple cash reward mechanism as a highly efficient method of detecting any remaining bugs.
Reward payments are effectively bounties in this context.
A there are two levels of reward available to software developers everywhere:
1. Exploits
Identification of an exploit which can remotely bring down a node will earn a reward payment in BTC
The reward for a fault in the release version is $2000, equivalent in BTC, regardless of how long the fault has been present.
The reward for a fault in the dev version is $3000, equivalent in BTC, provided the fault has been in the dev version for 60 days.
The reward values will be subject to periodic review.
2. General bugs
Any general faults and bugs in the current release version can be notified to the Bitcoin Unlimited lead Developer who will make an assessment about the seriousness and can propose a cash payment of up to $1000. This is subject to discussion and approval of other BU officers, however, the recommendation of the Developer will normally be accepted.
Wider audience
Hackerone. A reward for exploits to be advertised there on a similar basis as above.
Total Pool
Total bounty pool is $20,000 after which it will be necessary to return to the membership with a BUIP to top-up the funds.
Any additional feedback is appreciated.
Updated 22 May 2017
Proposed by Tim Potter
Supported by Andrew Clifford
Background
Bitcoin Unlimited must produce exceptionally reliable code.
The goal of this proposal is to fund a bounty purse that mimics both the corrective mechanisms and also the high reliability of DNA synthesis by incentivizing the entire community of open source code contributors to search for nuggets.
An example of high precision high reliability code in nature is DNA. The overall error rate is 10^-10 errors per base pair. The error rate of DNA synthesis is 10^-8, but this error rate is corrected with multiple corrective mechanisms that eventually bring the error rate down to 10^-10.
Solution
This BUIP proposes an additional tier of code review that is beyond what any development team could reasonably accomplish on its own by adding a simple cash reward mechanism as a highly efficient method of detecting any remaining bugs.
Reward payments are effectively bounties in this context.
A there are two levels of reward available to software developers everywhere:
1. Exploits
Identification of an exploit which can remotely bring down a node will earn a reward payment in BTC
- a) the fault details are emailed to security@bitcoinunlimited.info
- b) the fault is shown to be effective by the BU dev team.
- c) the fault is fixed and a public release is available before the exploit is used on main-net.
The reward for a fault in the release version is $2000, equivalent in BTC, regardless of how long the fault has been present.
The reward for a fault in the dev version is $3000, equivalent in BTC, provided the fault has been in the dev version for 60 days.
The reward values will be subject to periodic review.
2. General bugs
Any general faults and bugs in the current release version can be notified to the Bitcoin Unlimited lead Developer who will make an assessment about the seriousness and can propose a cash payment of up to $1000. This is subject to discussion and approval of other BU officers, however, the recommendation of the Developer will normally be accepted.
Wider audience
Hackerone. A reward for exploits to be advertised there on a similar basis as above.
Total Pool
Total bounty pool is $20,000 after which it will be necessary to return to the membership with a BUIP to top-up the funds.
Any additional feedback is appreciated.
Updated 22 May 2017
Last edited by a moderator:
