Consider adding a large-scale and ongoing bug bounty program. I believe DFINITY now has a responsible security vulnerability disclosure process, which is one excellent step in the right direction. But I think DFINITY should also allocate a large amount of funds towards rewarding those who responsibly disclose security vulnerabilities. I think this program warrants multiple millions of dollars towards responsible disclosure.
I am not confident the system is secure when it has only been looked over by members of the Foundation, or those close to them (I assume this has been the case, I could be wrong).
Great feedback! The foundation is moving towards Vulnerability Rewards Program from just being a disclosure program as we speak. The foundation is looking to reward those who come up with significant security findings.
I want to update you all that I have escalated this. I know the security team has plans on this, but I want to see how much I can share (they are, by nature, a friendly but secretive bunch )
The #ICP Dapp ecosystem also needs a conduit for #ICP Dapp vulnerability reporting and disposition. Most Dapp builders are very small compared to major tech vendors and are unlikely to have an established vulnerability disclosure process.
Factors
As Dapps are deployed on the #ICP, vulnerabilities will be identified and there is a need to ensure quick and easy identification and communication.
It is difficult to figure out to whom a vulnerability should be reported while ensuring confidentiality and consistent processes.
Dapp developers are unlikely to register with their Common Vulnerability Exposure national authorities.
Approach :
Facilitation of the vulnerability process governed by a Vulnerability DAO (VulDAO) that would:
Maintain a register containing the name of the Dapp, the reporting contact, the disclosure policy, vulnerability reports, and their disposition.
register the DAO as the reporting mechanism with the CVE manager (There is no monetary fee for CVE CNA registration and no contract to sign).
establish a public vulnerability disclosure policy and seek ratification.
host a public web site ( VulDapp ) on the #ICP for new vulnerability disclosures.
ensure members agree to the CVE terms of use of the CVE manager.
Sample Disclosure Policy
REPORTING A VULNERABILITY
We strongly encourage you to report potential security vulnerabilities using the VulDapp, before disclosing them in a public forum.
The VulDapp will maintain the list of security contacts for each registered Dapp.
Only use the VulDapp contact mechanism to report undisclosed security vulnerabilities for registered #ICP Dapps to facilitate the process of fixing such vulnerabilities. The VulDapp cannot accept regular bug reports or other security-related queries through this contact mechanism. Recipients will ignore communication sent to these contacts that does not relate to an undisclosed security problem in a #ICP Dapp registered with the #ICPVul Dapp.
Please send one plain-text message for each vulnerability you are reporting using the VulDapp . Rich content (diagrams, video, PDF, etc.) will not be accepted.
Please do not encrypt submissions.
VULNERABILITY INFORMATION
You can usually find information on known vulnerabilities for an registered Dapp on the Vuldapp web page. For convenience, consult the list for VulDAO listed projects. Do not ask:
how to use the registered Dapp securely
whether a published vulnerability applies to specific versions of the canister you are using
whether a published vulnerability applies to the configuration of the canister you are using
about obtaining further information on a published vulnerability
about the availability of patches and/or new releases to address a published vulnerability
The relevant Dapp would have a forum to ask such questions on their discord, telegram, twitter, etc. The registered Dapp team will ignore any such questions you send directly to them.
VULNERABILITY HANDLING
An overview of the vulnerability handling process is:
The reporter reports the vulnerability privately using the VulDapp website
The appropriate Dapp security team works privately with the reporter to resolve the vulnerability.
The project creates a new release of the Dapp to deliver its fix.
The project publicly announces the vulnerability and describes how the fix has been applied or how to apply the fix as appropriate.
Hi lastmjs, We have been providing bounties the past few months even though it has not been explicitly mentioned on the program website. There is a quite of work that is going on currently and you should see the updates in the next few weeks. I will keep you posted.
