BUIP026: (passed) Bounties for Software Exploits

tim potter

New Member
Sep 7, 2016
14
14
BUIP026: Bounties for Software Exploits

Proposed by Tim Potter
Supported by Andrew Clifford

Background

Bitcoin Unlimited must produce exceptionally reliable code.

The goal of this proposal is to fund a bounty purse that mimics both the corrective mechanisms and also the high reliability of DNA synthesis by incentivizing the entire community of open source code contributors to search for nuggets.

An example of high precision high reliability code in nature is DNA. The overall error rate is 10^-10 errors per base pair. The error rate of DNA synthesis is 10^-8, but this error rate is corrected with multiple corrective mechanisms that eventually bring the error rate down to 10^-10.

Solution

This BUIP proposes an additional tier of code review that is beyond what any development team could reasonably accomplish on its own by adding a simple cash reward mechanism as a highly efficient method of detecting any remaining bugs.

Reward payments are effectively bounties in this context.

A there are two levels of reward available to software developers everywhere:

1. Exploits
Identification of an exploit which can remotely bring down a node will earn a reward payment in BTC
  • a) the fault details are emailed to security@bitcoinunlimited.info
  • b) the fault is shown to be effective by the BU dev team.
  • c) the fault is fixed and a public release is available before the exploit is used on main-net.
At any point after software is merged into the principal branches this becomes active:

The reward for a fault in the release version is $2000, equivalent in BTC, regardless of how long the fault has been present.
The reward for a fault in the dev version is $3000, equivalent in BTC, provided the fault has been in the dev version for 60 days.
The reward values will be subject to periodic review.

2. General bugs
Any general faults and bugs in the current release version can be notified to the Bitcoin Unlimited lead Developer who will make an assessment about the seriousness and can propose a cash payment of up to $1000. This is subject to discussion and approval of other BU officers, however, the recommendation of the Developer will normally be accepted.

Wider audience
Hackerone. A reward for exploits to be advertised there on a similar basis as above.

Total Pool

Total bounty pool is $20,000 after which it will be necessary to return to the membership with a BUIP to top-up the funds.

Any additional feedback is appreciated.

Updated 22 May 2017
 
Last edited by a moderator:
  • Like
Reactions: freetrader

freetrader

Moderator
Staff member
Dec 16, 2015
2,806
6,088
EDIT: I think my comments below applied to an early draft of this proposal, and are obsolete. I'll leave them here, but based on re-reading the BUIP (2017-05-30) the reader may disregard them.

At what point in the code review process would it make sense to introduce bounties on undiscovered bugs?
For serious vulnerabilities, I think there should be an open door before, during and after any audits / reviews.
How do we perform bug price discovery?
For a more bulkier bug bounty program, this could be planned out during the review based on a surevey of the bugs found. We might want to consider carefully [1] and think about how we can come up with a meaningful categorization of bugs in the Bitcoin software. I haven't researched this - there could be a ton of existing useful information from other financial software systems out there. In the end, the size of the bounty should correlate with the severity of the bug, I think.

We should also incentivize catching bugs as early as possible.

[1] https://en.wikipedia.org/wiki/Software_bug#Bug_management
 
Last edited:
  • Like
Reactions: Wildfire.ca

solex

Moderator
Staff member
Aug 22, 2015
1,558
4,693
One fairly concisely defined bounty is for any exploit that can remotely terminate a node. Thinking in the region of $3-5k, provided that the exploit has time to get fixed and included in a release.