After running our private Bugcrowd security bounty program for testing
purposes, we are finally ready to open the program to everyone.
Opening up the Bugcrowd program to the public has the potential to put over
100,000 eyes on the ARK core codebase. Making our already running GitHub bounty
program even stronger.
The Bugcrowd platform has proven itself time and again with helping companies
such as Netflix, Binanace, Netgear, Motorola, Digital Ocean, Tesla and many
more.
ARK’s public Bugcrowd program information is available
at:https://bugcrowd.com/arkecosystem
During the private testing phase of the bounty program, four security
vulnerabilities where reported. Two of them were related to our old deprecated
v1 API and two of them reported possible Denial of Service attacks via the
following endpoints:
https://IP:PORT/api/v2/delegates/REPLACE_HERE/blocks?page=250&limit=1https://IP:PORT/api/v2/wallets/top?page=0&limit=REPLACE_HERE
In both cases the limit parameter could be overridden causing the server side to
do additional work, thus introducing a possible Application Denial of Service
Attack. Both endpoints were closed and fixed during the v2.0.x upgrades.
How To Get Involved?
ARK’s public Bugcrowd program information is available
at:https://bugcrowd.com/arkecosystem
We invite all security researchers and penetration testers to check our
Security
Vulnerabilities**
**repository, where you can learn about recent issues and use it as a starting
point to grab some ideas and come up with new testing strategies.
In order to start testing you can read up on our Core and use our Development
Network, which as the name suggests is a testing and development ground to play
on.
Some of the important links you can check:
- Understanding transaction life-cycle from client to
blockchain - How does Core work and its mechanics
- API Documentation
- SDK’s to interact with ARK
- Setting up your own relay
node - Setting up ARK Core with
Docker**
(additional blog
post)** - How to deploy your own ARK-based network with
Deployer - Development Network Explorer
- List of known and patched security
vulnerabilities
If you would like to get Development Network ARK tokens (DARK) for any testing,
please join our Slack** **and request them in the #devnet
channel.
How it Works
A security researcher discovers and submits a finding to Bugcrowd. The
submission is reviewed, tested, reproduced and once validated, is quickly
relayed to the ARK Team. In turn, we review/test the vulnerability and patch the
finding (if applicable).
Findings that may be critical are pushed to our team in under 24 hours. We can
directly converse with the researchers to get or request additional information,
including access to all conversations between the security researchers and
Bugcrowd. As a result, critical bugs get fixed and patched much sooner than less
severe ones.
Vulnerability Rating Taxonomy
ARK is using Bugcrowd’s
VRT, a resource that
outlines Bugcrowd’s baseline priority rating. Included are certain edge cases
for vulnerabilities that are frequently seen. To arrive at a rating, Bugcrowd’s
security engineers start with generally accepted industry impact standards and
further consider the average acceptance rate, average priority, and commonly
requested program-specific exclusions (based on business use cases) across all
of Bugcrowd’s programs.
Bugcrowd’s VRT is an invaluable resource for bug hunters as it outlines the
types of issues that are normally seen and accepted by bug bounty programs. We
hope that being transparent about the typical priority level for various bug
types will help program participants save valuable time and effort in their
quest to make bounty targets more secure. The VRT can also help researchers
identify which types of high-value bugs they have overlooked, and when to
provide exploitation information (POC info) in a report where it might impact
priority.
Why Crowd Sourced Security?
There is sometimes a disconnect between the motivations of network attackers,
and those of developers and security defenders. Crowd sourced security helps
alleviate this imbalance by harnessing white hat security researchers to find
and eliminate vulnerabilities, providing rapid and focused results. The most
critical attack surfaces are examined including web and API interfaces on
server/cloud, mobile and IoT platforms. The security researchers are trusted and
highly vetted, diffusing the concerns of risk associated with crowd sourced
security.
While the ARK team and the community know the blueprint of their ship quite
well, it is often the eyes of outside examiners who can provide a fresh
perspective from a different angle.
The massive increase in efficiency of crowd sourced pen-testing will allow ARK
to reach a wider group of individuals with a vast interest in cyber security. In
some cases, it takes far less time than if we solely rely on our internal
development team or community at large. Ultimately, it is our highest priority
to provide the most secure platform possible to all users of ARK and we hope
putting our code in front of thousands of testers will assist us in providing
this.
Follow us on social media ( Twitter | Facebook | Reddit | YouTube), join our community ( Slack | Discord ) and stay tuned to our blog on Medium.
Congratulations @arkecosystem! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :
You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word
STOPTo support your work, I also upvoted your post!
Do not miss the last post from @steemitboard:
Vote for @Steemitboard as a witness to get one more award and increased upvotes!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit