PIVX bug bounty program first quarter recap

After a very busy and demanding quarter, we are approaching the end of the 1st quarter of the PIVX bounty program, proudly hosted at hackerone.

The PIVX project logo

This article provides a short overview of the current state of the program, a recap of the related facts & numbers and an outlook regarding our plans for the future.

Bounty? Bounty! On July 23rd we flipped the switch and launched the PIVX security bounty campaign for the public at https://hackerone.com/pivx-project.

You can check my previous posts for some more background information:
PIVX Bug Bounty Program launch
PIVX h1 Bug Bounty Program launched successfully
Bug Bounty program public launch recap
PIVX Security Bounty FAQ

The bug bounty program in numbers

• November 30th marks the end of Q1 (4 months) of the public bug bounty program
• We received 19 submissions so far and are currently looking into the details
• The baseline program itself costs a couple of thousand USD per annum, excluding bounty awards
• So far 200 USD in bounties have been awarded by the PIVX bug bounty panel team on a case by case basis
• We identified 0 Major, 0 Medium and 4 Low risk issues

“Up Close With Numbers” by jenni from the block is licensed under CC BY 2.0

At first sight and given we just started with the public program, the numbers were expected.

Let’s dig a bit deeper into the bounty issue statistics:

• Total Bounties $200 (no major issues were identified)
• Response Time 13 hrs (this is ok, but we can get better)
• Payout % of Resolved Reports 100.0%
• Report Triage Time 5 days (this can surely be improved by assigning more reviewers as reports arrive, still ok’ish)
• Bounty Awarded Time 20 days (took way too long for some reporters, i blame my parental leave)
• Total submitted issues: 19 (this is great!)
• Major risk issues found: 0
• Medium risk issues found: 0
• Low risk issues found: 4

Plans for the future of the bug bounty program

Overall, i am pretty happy with the current state of the program and especially the valuable experiences we made so far!

“detective” by olarte.ollie is licensed under CC BY-SA 2.0

There are some areas where we need to improve though.

Especially the on-boarding for new bounty hunters could be more straightforward. This will give the PIVX codebase much more auditing exposure and researchers will benefit from higher rewards. This includes providing an effortless way to receive tPIV (the testnet coin) eg via a faucet. I will also continue to work on the dedicated, local docker testnet setup.

Additionally, the codebase is not the only attack surface that is relevant for a cryptocurrency project like PIVX. For example, a lot of social engineering / phishing attacks happen via vendor websites.

That’s why we plan to add the PIVX website and other components of the ecosystem to this bounty program over the next few months.

What are those 4 low risk issue details?

All of the 4 minor issues reported will be integrated in one of the next PIVX core releases (after the 3.2 release) and discussed in a dedicated post.

I hope you enjoyed this brief overview about the past quarter of the PIVX bug bounty program. Please let me know your thoughts via twitter or privately via email.

Have a great week!

How to get in touch

• Please send any requests for interviews, articles, videos, podcasts or questions about the bug bounty program to security@pivx.org or support@pivx.org.
• PIVX Security issues: Please report all security issues via the hackerone platform. This ensures the process is running smooth and the right persons are triggered with the proper urgency.

“LEGO MARVEL Super Heroes — 12K” by Joshua | Ezzell is licensed under CC BY 2.0

About hackerone

PIVX and HackerOne have a lot in common. H1 was started by hackers and security leaders who are driven by a passion to make the internet safer. Their platform is the industry standard for hacker-powered security. Companies like Starbucks, Twitter, Airbnb and many others trust their services.

About PIVX

PIVX is a Bitcoin-based community-centric cryptocurrency with a focus on decentralisation, privacy, and real-world use. It utilises an energy efficient Proof of Stake protocol and a second-tier Masternode network for inclusive community-based governance along with a blockchain based self-funding treasury system ensuring its sustainability.

PIVX has implemented a well known highly-vetted protocol called Zerocoin with many custom enhancements allowing blockchain-level transaction anonymity in the way of un-linkability.