gitcoinambassadors / ideas

Long-form pitching of Ambassador Project Ideas
7 stars 2 forks source link

Potential Prospects [Security Contacts] for Posting Bug Bounties #6

Open hatgit opened 6 years ago

hatgit commented 6 years ago

User Story

Security contacts are often the first point of contact for a penetration tester or person reporting a bug that is either related to the security contacts software or own of its dependencies. As part of industry best-practices for companies to post bug bounty programs to encourage bounty hunters and researcher to report them for a reward, it would make sense to compile a list of such contacts that could be candidates to post bug bounties on Gitcoin.

Why Is this Needed

More devs will examine the code/software of the company posting the bounty on Gitcoin, allowing a magnifying glass to be focused on various parts of the code that a bug-bounty is assigned to, such as critical processes or the most important code snippets that related to financial transactions or sensitive user data, which companies are willing to pay to help safeguard. Summary:

Description

Security research firm Trail of Bits recently compiled a blockchain-focused list that could be a good basis for contacts: https://github.com/trailofbits/blockchain-security-contacts Type:

Current Behavior

More bug bounties needed on Gitcoin and every blockchain company should have a bug bounty program and publish each level of severity as a bounty on Gitcoin.

Expected Behavior

Have quick access to contact security specialists at blockchain firms who may be interested to participate by posting their existing bug bounty program on Gitcoin

Definition of Done

Get at least one or more new bug bounty posted to Gitcoin from a blockchain company from the above list or from new prospects added to a list that would need to be created for internal or public use.

Additional Information

Potentially propose a format/spec document that could be tailored specifically for bug-bounties that could help guide companies interested in posting their bug bounty program on Gitcoin

rmshea commented 5 years ago

This is a super interesting idea, and is especially relevant with the Constantinople upgrade being postponed due to a security issue. Easily marketable -- "don't want it to happen again; use gitcoin.."