PIVX Bug Bounty Program launch
With the growing adoption (and value) of PIVX, a dedicated security program and reporting process to handle security related events is mandatory.
After weeks of planning, calls and brainstorming it’s finally confirmed:
We are working towards 2nd July as official launch for the PIVX hackerone bug bounty program.
This date is a rough ETA and depends on a bit more of paperwork to be done. So far it looks good, so that date should work ;-)
The PIVX-Project values the global information security community and is looking forward to working with the brightest minds in the space to find security vulnerabilities in our protocols and official implementation in order to keep our users and their funds safe!
Safety of user funds and privacy will always be top priority for PIVX!
In a space where dubious projects and code of doubtful quality are quite common, i am happily contributing my time and skills to make that a long-lasting reality.
What’s the status of the security program?
A lot happened since my post to announce the proposal and planned start of the new PIVX security program.
These are the most important goals we reached so far:
- Created the new proposal. It passed with great success. Thank you!
- Created the PIVX campaign on hackerone https://hackerone.com/pivx-project/ (page not yet public, will be soon!)
- Published a PIVX Core docker image to be used for the h1 bug hunting program https://github.com/marsmensch/docker-pivx-core
- Planned the private and public launch of the program with hackerone
- Paid most of the fees (hackerone)and set aside BTC for the bounty rewards
- Formed the PIVX bug bounty panel (see below for details)
What is the PIVX bug bounty panel?
An important part of the ongoing security program will be the related panel consisting of project members that will develop details of the process and ultimately decide what/if the author of a vulnerability submission is paid according to the rules as soon as the program has launched.
In my experience, such a team ideally consists of core developers, community members and external advisors and that’s exactly how we formed the group Current members are: Turtleflax, Veramis, Presstab, Mrs-X, Fuzzbawls, s3v3nh4cks and myself.
What are the next steps?
Obviously, this is only the beginning of our work. The following are the most important goals we want to reach in the next days:
- Launch the private program (limited to hackers already familiar with the h1 platform).
- Open the program for the general public (about 2 weeks after the private launch)
- Extend the scope (aka “hacker targets”) of the security program
We are working towards 2nd July as official launch date! The first couple of days are usually done with a limited set of h1 hackers. Public launch will be a couple of days later. We will follow that practice.
How can i contribute to the Security program?
Everyone of you is invited to take part by auditing the codebase, official wallets and public testnet. Please check https://hackerone.com/pivx-project/policy for details as soon as it is going online in a couple of days. Of course, this information will also be pushed to all available public channels. You are not going to miss it!
How much can i earn for contributions?
We are still working on the little details that count. One thing is sure: Depending on the validity and severity of the submitted issue, the PIVX bug bounty panel will approve an appropriate reward for the researchers.
For now, the preferred way is to contact us via hackerone after the public launch. The awesome team there will assist you (and us!) to get started and qualify submissions. We will also provide the option to get directly in touch with us via GPG secured email at “security@pivx.org”.
I am very happy to be part of this effort and hope you are, too!
About hackerone
PIVX and HackerOne have a lot in common. H1 was started by hackers and security leaders who are driven by a passion to make the internet safer. Their platform is the industry standard for hacker-powered security. Companies like Starbucks, Twitter, Airbnb and many others trust their services.
