Taking PIVX security to the next level

Introducing my new PIVX project role

ELI5

I will be part of the new PIVX security program. All relevant details can be found online here: https://forum.pivx.org/t/new-bug-bounty-proposal/4058

“Bugs” by Brian Searle is licensed under CC BY 2.0

If you own a PIVX masternode, please vote yes to make this important step happen. To vote YES:

mnbudget vote-many b6a64d196982ed6c9751ffe3eaef663877d352a004442bc6d2f95d2dc296faf6 yes

The longer version

You probably know about my passion about anything Security related. If you know me a little better, chances are you even asked me about for my opinion about a personal security topic, or the architecture of an application you are working on. I love to do this and in many cases i am happy to give my advice in my free time.

Another one of my favourite topics is Privacy. To know my way around open source projects like Tails, Qubes OS and Samourai Wallet is an essential part of my daily life. This includes everything that will make Bitcoin better suited for transactions that require privacy. I also do love to think outside the box and play with new technologies that will most probably not make it into the Bitcoin core (codebase) anytime soon.

This is of course where it get’s even more interesting. Privacy focussed cryptocurrency projects like PIVX, Monero and Zcash really make my heart sing ;-)

“I really believe that we don’t have to make a trade-off between security and privacy. I think technology gives us the ability to have both.”

– John Poindexter

Me & PIVX

Back when PIVX was still called “DNET”, i was looking into different crypto projects with interesting developments. After a longer research on https://bitcointalk.org/ reading thread after thread, i arrived at the DNET thread. Their planned switch from PoW to PoS seemed to be an interesting scenario to follow, especially since the project also had masternodes. Luckily, nobody within crypto cared that much about masternodes back then and i had plenty of time to research all fundamentels about the coin economics and developer team. In fact, the team was the most important factor that convinced me to put some money into DNET while everyone else seemed to think that 400 Satoshi / DNET is way too much :D

“Secure Pump” by David Blaikie is licensed under CC BY 2.0

Long story short, this is when i truly fell in love with masternodes and haven’t stopped following the PIVX project every since.

Privacy vs. Security

PIVX has a top team of developers that are experts in what they are doing. This is especially true for everything privacy. I have zero doubt that PIVX will be among the top privacy centered coins by the end of 2018. At the same time, i think there is room to improve on the Security side of things.

While i appreciate the current marketing campaigns, i think we should cut down the current marketing budget and focus more on the technical aspects and development for now.

Proposal overview

With the growing adoption (and value) of PIVX, a dedicated security program and reporting process to handle security related events is mandatory. Issues like the recently discovered zerocoin vulnerability have the potential to put user’s funds at risk.

To address this problem, i have been talking to members of the PIVX team recently and we (see proposal for details) are committed to do everything we can to reduce the overall risk. Our proposal is meant act as foundation for planning and getting a process for professional & effective vulnerability handling established asap.

Here are the main arguments for the program:

• External bug hunters have a different view. There can never be too many eyes involved in reviewing a codebase for security bugs
• There is no such thing as bulletproof code. We need reviews in regular intervals to make sure the codebase is sound
• Privacy is our top priority and this should be reflected in all areas of our work. The reputation and other losses in case of a severe vulnerability can’t be overestimated
• Many big companies have run bug bounty programs for years with proven success

Since PIVX is a community project with decentralized governance, we agreed to get a professional partner to handle some of the work to get us started and provide the initial infrastructure. This money will be well spent and give us extra benefits like 24x7 response handling and pre-evaluation of reports to save precious developer time. It’s a win-win for the PIVX developers and community.

The PIVX bug bounty panel

An important part of the security program will be the related panel consisting of project members that will develop details of the process and ultimately decide what/if the author of a vulnerability submission is paid according to the rules as soon as the program has launched.

In my experience, such a team ideally consists of core developers, community members and external advisors.

Please vote for the proposal:

mnbudget vote-many b6a64d196982ed6c9751ffe3eaef663877d352a004442bc6d2f95d2dc296faf6 yes

“Robot” by Kurtis Garbutt is licensed under CC BY 2.0

I am very happy to be part of this effort!

Shout out to:
Turtleflax, Veramis, Presstab, Mrs-X, Fuzzbawls & s3v3nh4cks!