fluidkey
Wallet attribute: Bug Bounty (revamp)
This issue is about revamping the bug bounty feature data and corresponding attribute. It is currently based on a 4-state enum where the values are pretty subjective.
/**
* Types of bug bounty programs that can be implemented
*/
export enum BugBountyProgramType {
COMPREHENSIVE = 'COMPREHENSIVE',
BASIC = 'BASIC',
DISCLOSURE_ONLY = 'DISCLOSURE_ONLY',
NONE = 'NONE',
}
Goal: Make it more objective and define where the thresholds are more concretely.
Relevant links:
- https://github.com/walletbeat/walletbeat/blob/fbc836ee8c439819c2908ec8ab46d5b4d88734ae/src/schema/features/security/bug-bounty-program.ts
- https://github.com/walletbeat/walletbeat/blob/fbc836ee8c439819c2908ec8ab46d5b4d88734ae/data/hardware-wallets/trezor.ts#L83
- https://github.com/walletbeat/walletbeat/blob/fbc836ee8c439819c2908ec8ab46d5b4d88734ae/src/schema/attributes/security/bug-bounty-program.ts
Ideas of objective things we can look for in a bug bounty program:
- When was the program established? (Allows for measuring duration and consistency of how seriously the wallet developer takes security)
- Scope: Do they explicitly list it? If so, does it cover all versions of the wallet?
- Disclosure process: does it have a fixed number of days, or is it up to the discretion of the wallet developer?
- Disclosure process: does it allow security researchers to eventually publish their findings?
- What range of money is the wallet developer offering as bounties?
- Does it have Safe Harbor legal language to protect security researchers from being sued by disclosing? If so, require reference. (Example)
- Is it hosted on a popular security bounty platform (HackerOne/Bugcrowd/Intigriti/etc.)? If so, require a link to them.
We could potentially include response metrics (like HackerOne's average time-to-response, time-to-triage, time-to-resolve) but I worry this may be difficult to keep up-to-date without additional automation, and would be difficult for new wallet development teams to get off zero since they are new, so we can't really penalize them. Perhaps we could still collect a set of { vulnerabilitiesDisclosed: number; date: Date } snapshots, and only start enforcing this as an attribute after the program has been running for over a year or so.
@polymutex already working on a WIP for this, we share similar ideas on some objectives
Re: Is it hosted on a popular security bounty platform (HackerOne/Bugcrowd/Intigriti/etc.)? If so, require a link to them
- Originally thought we can derive the platform by the url, but explicit mentioning platform is better
/**
* URL to the bug bounty program details
*/
url?: string
export enum BugBountyProgramAvailability {
ACTIVE = 'ACTIVE', // Running now, accepting reports
INACTIVE = 'INACTIVE', // Temporarily paused
HISTORICAL = 'HISTORICAL', // Ended, not returning
NEVER = 'NEVER', // Never existed
}
/**
* The coverage breadth of the bug bounty program
*/
export enum CoverageBreadth {
FULL = 'FULL',
PARTIAL = 'PARTIAL',
APP_ONLY = 'APP_ONLY',
FIRMWARE_ONLY = 'FIRMWARE_ONLY',
HARDWARE_ONLY = 'HARDWARE_ONLY',
NONE = 'NONE',
}
BugBountyProgramAvailability sounds good, though I'm not sure there's a meaningful distinction between INACTIVE and HISTORICAL.
/**
* The coverage breadth of the bug bounty program
*/
export enum CoverageBreadth {
FULL = 'FULL',
PARTIAL = 'PARTIAL',
APP_ONLY = 'APP_ONLY',
FIRMWARE_ONLY = 'FIRMWARE_ONLY',
HARDWARE_ONLY = 'HARDWARE_ONLY',
NONE = 'NONE',
}
Have you encountered bug bounty programs that cover each of these? I'm not sure I can think of any. Doesn't mean it's not worth adding, but maybe only if we do find wallets that vary on this dimension.
- Scope: Do they explicitly list it? If so, does it cover all versions of the wallet?
CoverageBreadth is similar to Scope. I'll refactor it to Scope.
BugBountyProgramAvailabilitysounds good, though I'm not sure there's a meaningful distinction betweenINACTIVEandHISTORICAL.
Difference between inactive and historical is that historical bug bounty program won't return anymore. Inactive is more like 'paused'. For the meantime, I'll omit historical and leave three.