PIVX h1 Bug Bounty Program launched successfully

After weeks of planning, calls and brainstorming we successfully launched the PIVX hackerone bug bounty program on July 2nd.

PIVX Bug bounty ELI5

A lot of questions were sent my way in the last couple of days. I will happily provide the answers in this article.

The essential piece of information is: The bug bounty program enables us to reward external Security researchers for their work.

The public program (see below) will go live in a couple of days.

PIVX is one of few high quality projects within the cryptocurrency ecosystem

Privacy is the top priority for PIVX and this should be reflected in all areas of our work. With the growing adoption (and value) of PIVX, a dedicated security program and reporting process to handle security related events is mandatory. This is especially hard to accomplish for a completely decentralized & open source project.

How can i contribute to the Security program?

Everyone of you is invited to take part by auditing the codebase, official wallets and public testnet. Please check https://hackerone.com/pivx-project/policy for details as soon as it is going online in a couple of days. Of course, this information will also be pushed to all available public channels. You are not going to miss it!

Private und public launch

Right now, the program is still in private mode and researchers have to be invited to take part. This helps us and hackerone to prepare for a smooth public launch. In a couple of days, the private program will be opened to the public.

The PIVX bug bounty program on https://hackerone.com/pivx-project

What’s the status of the security program?

A lot happened since my post to announce the proposal and planned start of the new PIVX security program.

These are the most important goals we reached so far:

  • Created the new proposal. It passed with great success. Thank you!
  • Created the PIVX campaign on hackerone https://hackerone.com/pivx-project/ (page not yet public, will be soon!)
  • Published a PIVX Core docker image to be used for the h1 bug hunting program https://github.com/marsmensch/docker-pivx-core
  • Planned the private and public launch of the program with hackerone
  • Paid most of the fees (hackerone)and set aside BTC for the bounty rewards
  • Formed the PIVX bug bounty panel (see below for details)
  • Setup two dedicated PIVX testnet nodes for the bug bounty program
“Magic love” by russmorris is licensed under CC BY-NC-SA 3.0

Scope of the program

We are continuously looking to find security issues affecting our blockchain protocol and its implementation. This list is not complete by any means but should provide a good starting point:

Security weaknesses:

  • Bugs in our implementation of the cryptographic primitives (eg zerocoin)
  • Remote Code Execution
  • Theft (unauthorized movement of funds, access to private keys)
  • Inflation (creation of coins by any method different from Staking)
  • Netsplit (preventing a part of the peer to peer network from communicating with the other part of the network in a way that could be applied generically)
  • Attacks on the PIVX zPIV implementation

Denial of Service attacks:

  • Create invalid blockchain state
  • Overload the whole network
  • Overload a single client
  • Crash a client
  • Stall a client
  • Disconnect client
  • Create invalid client state

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and that reward decisions are up to the discretion of PIVX and the bounty panel.

We start with at least $5,000 for critical (9.0–10.0) vulnerabilities in the core PIVX implementation. We can upgrade upgrade the reward with a bonus on top. The reward for vulnerabilities with a low CVSS score (0.1–3.9) is $200.

What is the PIVX bug bounty panel?

An important part of the ongoing security program will be the related panel consisting of project members that will develop details of the process and ultimately decide what/if the author of a vulnerability submission is paid according to the rules as soon as the program has launched.

In my experience, such a team ideally consists of core developers, community members and external advisors and that’s exactly how we formed the group Current members are: Turtleflax, Veramis, Presstab, Mrs-X, Fuzzbawls, s3v3nh4cks and myself. That’s as independent as an entity awarding PIVX related funds for successful bounties can be ;-)

How to get in touch

Glad you are asking! Until further notice:

  • Please send any requests for interviews, articles, videos, podcasts or questions about the bug bounty program: marsmensch@pm.me
  • PIVX Security issues until the program is public: security@pivx.org Don’t send any critical stuff until we provided you with gpg Keys.

I am very happy to be part of this effort and hope you are, too!

About hackerone

PIVX and HackerOne have a lot in common. H1 was started by hackers and security leaders who are driven by a passion to make the internet safer. Their platform is the industry standard for hacker-powered security. Companies like Starbucks, Twitter, Airbnb and many others trust their services.

About PIVX

PIVX is a Bitcoin-based community-centric cryptocurrency with a focus on decentralization, privacy, and real-world use. It utilizes an energy efficient Proof of Stake protocol and a second-tier Masternode network for inclusive community-based governance along with a blockchain based self-funding treasury system ensuring its sustainability.

PIVX has implemented a well known highly-vetted protocol called Zerocoin with many custom enhancements allowing blockchain-level transaction anonymity in the way of unlinkability.