Steemit Open Source! - Rewarding Discoveries of Vulnerabilities and Responsible Disclosure
Steemit opens the door to its source code
With Steemit and Steem's source code open to the public eye some people have expressed their concerned about making the job of a hacker easier in respect to discovering issues with the code it self and using that information to exploit the system and derive personal profits. Such as with 'The DAO' the code was open and this transparency left it open to attack which ultimately resulted on $60 Million USD being drained from the DAO itself.
This transparency is a double edged sword; it is great for the platform as a whole as it allows independent analysis of the code and added credibility that things are being done right or public suggestions on how the platform maybe improved. On the flip side; it is this very same independent analysis that can lead to attacks on the platform and heart ache in the community.
In terms of the DAO and with Steemit itself previous hacks have not gone unnoticed and have not resulted in the large payday that the hacker had intended to receive.
I would like to propose a better way for some intelligent security analyst to make off with large payday while building a solid reputation within the community and helping the platform evolve. The model is not new but is definitely applicable to Steemit and the Steemit community is well placed to reward the actor that take advantage of it.
Responsible disclosure of information and rewarding the analyst
Responsible disclosure
Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details.
The basis of the model described above is that if you happen to find a security vulnerability, you disclose this information privately to the founders (@Dan and @Ned - best method is via PM on Steemit.chat) and work with them to ensure a fix can be put in place and the issue is resolved in a timely manner.
This action will ensure that the vulnerability does not go unnoticed and that countermeasure can be put in place to protect the the platform and it's community.
This model allows time for development to develop and implement a fix before the knowledge is made public and can be abused by another party.. The model also puts in safeguards in that once the non disclosure period has elapsed the security analyst if free to share his findings with the community. This can be particularly important if the development team does not deem this issue a big enough threat to resolve or the resolution of the issue is so large it is deemed unsolvable. This disclosure after the period has elapsed is to protect the community and allow them to alter their behaviour as to protect themselves from the potential security issue.
Rewarding the Discovery and Acknowledgement of Good Faith
As a security analyst that has discovered a vulnerability which you have not abused and disclosed it to the development team to improve the platform; the community is in your debt!. Your action of good faith have protected thousand or potential victims from being exploited and for that you will be rewarded.
The reward for such a post explaining the situation and the potential danger that has now been mitigated would come with hundreds of up-vote and would bolster your reputation and good standing within a very grateful community.
EXAMPLE Responsible Disclosure policy - Not Official - Informational purposes only!
The choice is yours..
Villain
You may choose the path of the villain, the discovery of an issue that could derive a large profit is surely a tempting but the reality of it is you will be hurting a lot of people by your actions; you may not end up keeping your illegitimate gains and you may even be discovered and see your day in court.
Alternatively,
Hero
You could choose the path of the Hero, you will be able to sleep well at night knowing your actions have had a positive impact on many who will be very grateful and your good standing in the community will treat you well long into the future. The support of the community going forward may dwarf the potential gains that you may have had implicating yourself in a dark and lonely path.
logo%20(2).jpg)
To my knowledge Steemit does not offer an official bug bounty program as yet; but Steemit is also different from every other platform; in that the users of Steemit have the ability to reward such nobel actions and in a sense fund their own bug bounty program
While there isn't an official bug bounty program we've seen some pretty amazing white hat hackers take action such as @robinhood and is probably one of the main reasons the passwords are now more secure.
I noticed a potential social attack vector and sent a PM to @dan about it and he was quick to respond explaining how the site would be able to handle it automatically.
There are huge incentives to 'do the right thing' here, I think opening up the source code was a great idea.
Thanks for your article
I think this is spot on : " the users of Steemit have the ability to reward such nobel actions and in a sense fund their own bug bounty program "
I think if the bug is high risk it should be presented privately. Once resolved I do feel that he Steemit whales should upvote a the post of the person who found the bug as a reward.
This will ensure that the community is the real winner since the combination of community votes and the whale votes increase the rewards!
Cool post!
Cheers
Would be nice if a floor were provided, rather than having to depend on upvotes.
Nice though
The richest get richer! the poor gain envy.
Perhaps that will motivate them to work harder :P
the proposal is one of equal pay for equal work, what's your point?
Great post steempower...
$1574.34 in 30 minutes. Seems like there is a bounty jut for talking about bug bounties ;)
Jk, nice article and what a novel idea having heroes having others' interest at hear before their own. I would be one of those if i had the technical know how! Steem safe my friends!
read this to understand why he gets so much money in 30min https://steemit.com/steemit/@laonie/big-news-wang-s-robot-is-fall-in-love-she-is-voting-on-every-posts-of-xiaohui-or-xiaohui-wang
This is good in one sense but the cheating bots can also take advantage of such system in their favour
Thanks for this wonderful article @steempower!
I think going open-source is important inspite of the risks. Most people will do the right thing and report bugs. Being closed-source does not protect against people finding bugs and in some ways makes it more likely that they will be exploited if they are found. Look at some of the biggest bugs in software such as Windows - they have pretty much all been exploited for a long time before being fixed. Having the eyes of the whole community on a project is way more beneficial than just a select few who work on developing it.
I do think there should be a bug bounty program though. It would benefit us all and incentivise those who are tempted to exploit bugs to do the right thing.
Alternatively perhaps the team could do a post featuring those people who have found bugs say every month - the money raised by these posts could then be divided and distributed amongst the bug finders.
Good for 2 hours as many votes ;)
I would be such a success
I love the idea of a bug bounty for responsible members. I'm not a developer or programmer but I'm doing my best to educate myself about this platform and the hips and valleys of the monetary system. I recently read about the beauty of digital currency and open source. It really is up to the community and players to keep it honest - but being public also opens the doors to illegal activity. It's up to the good samaritans who want to see the platform (and their wallets) grow for the greater good of all.