Topics

Bug Bounty Update pt. Deux

Dave Huseby
 

As I mentioned in my update email last Friday, I have been negotiating
with HackerOne to secure the lowest possible price for the limited PM
support for our bounty program. To remind you, we need to sign a new
contract with HackerOne for next year and our options for support are:

A. Full PM and Triage support.
B. Limited PM support.
C. Email only support.

I think we should go with options B or C. I was negotiating for the
best price on B, since C is free. HackerOne quoted $10k for option B.

My recommendation is:
1. We go with option C.
2. We put the money we save into the bounty pool and a marketing budget.
3. We bump up the bounty awards and/or do limited promotional awards.
4. We spend some money marketing our bounty program.

Cheers!
Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby

Salman Baset
 

Hi David,
 
I agree with your suggested approach for option C.
 
Also, I want to bring to attention the a security testing tool for Fabric that was presented in DEFCON this year. Among other issues, it points to the issue of a shell in chaincode container which is known and is preventable through various controls.
 
It will be useful to develop a Center for Internet Security (CIS) checklist for Fabric and other Hyperledger platforms to help guide developers and security professionals. Happy to start it, but looking for collaborators.


Salman A. Baset, Ph.D.
CTO Security, IBM Blockchain Solutions
Email. sabaset@...
Phone. 914.945.2062


 
 
 

----- Original message -----
From: "David Huseby" <dhuseby@...>
Sent by: tsc@...
To: hyperledger-tsc <hyperledger-tsc@...>
Cc:
Subject: [Hyperledger TSC] Bug Bounty Update pt. Deux
Date: Wed, Sep 5, 2018 5:10 PM
 
As I mentioned in my update email last Friday, I have been negotiating
with HackerOne to secure the lowest possible price for the limited PM
support for our bounty program.  To remind you, we need to sign a new
contract with HackerOne for next year and our options for support are:

  A. Full PM and Triage support.
  B. Limited PM support.
  C. Email only support.

I think we should go with options B or C.  I was negotiating for the
best price on B, since C is free.  HackerOne quoted $10k for option B.

My recommendation is:
  1. We go with option C.
  2. We put the money we save into the bounty pool and a marketing budget.
  3. We bump up the bounty awards and/or do limited promotional awards.
  4. We spend some money marketing our bounty program.

Cheers!
Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...



 
 

Dave Huseby
 

Hi Salman,

Thank you for the heads up. I am aware of the tool. I mentioned it in
a recent RSA Webinar on blockchain security. The chaincode pivot
attack was also identified by Nettitude when they did the security
audit of Fabric last October.

I have been having an email conversation with the authors of Tineola
and we have a phone meeting coming up to discus the future of the
project.

Cheers!
Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby

On Fri, Sep 7, 2018 at 8:25 AM Salman A Baset <sabaset@...> wrote:

Hi David,

I agree with your suggested approach for option C.

Also, I want to bring to attention the a security testing tool for Fabric that was presented in DEFCON this year. Among other issues, it points to the issue of a shell in chaincode container which is known and is preventable through various controls.
https://parsiya.net/blog/2018-08-23-committing-insurance-fraud-with-tineola/
https://github.com/tineola/tineola

It will be useful to develop a Center for Internet Security (CIS) checklist for Fabric and other Hyperledger platforms to help guide developers and security professionals. Happy to start it, but looking for collaborators.


Salman A. Baset, Ph.D.
CTO Security, IBM Blockchain Solutions
Email. sabaset@...
Phone. 914.945.2062






----- Original message -----
From: "David Huseby" <@dhuseby>
Sent by: tsc@...
To: hyperledger-tsc <hyperledger-tsc@...>
Cc:
Subject: [Hyperledger TSC] Bug Bounty Update pt. Deux
Date: Wed, Sep 5, 2018 5:10 PM

As I mentioned in my update email last Friday, I have been negotiating
with HackerOne to secure the lowest possible price for the limited PM
support for our bounty program. To remind you, we need to sign a new
contract with HackerOne for next year and our options for support are:

A. Full PM and Triage support.
B. Limited PM support.
C. Email only support.

I think we should go with options B or C. I was negotiating for the
best price on B, since C is free. HackerOne quoted $10k for option B.

My recommendation is:
1. We go with option C.
2. We put the money we save into the bounty pool and a marketing budget.
3. We bump up the bounty awards and/or do limited promotional awards.
4. We spend some money marketing our bounty program.

Cheers!
Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby






Middleton, Dan
 

Just to play devils advocate here..
We haven't gotten a lot of material benefit from the bounty so far.
In any bounty the incentives have to be proportionate to the illicit incentives.
The HL frameworks may be different than other systems under bug bounties, i.e. there's not a live install or fixed installer to target.

Is there something else that we can do with this funding that would better secure our frameworks?

Thanks,
Dan

On 9/7/18, 12:54 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of @dhuseby> wrote:

Hi Salman,

Thank you for the heads up. I am aware of the tool. I mentioned it in
a recent RSA Webinar on blockchain security. The chaincode pivot
attack was also identified by Nettitude when they did the security
audit of Fabric last October.

I have been having an email conversation with the authors of Tineola
and we have a phone meeting coming up to discus the future of the
project.

Cheers!
Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby

On Fri, Sep 7, 2018 at 8:25 AM Salman A Baset <sabaset@...> wrote:
>
> Hi David,
>
> I agree with your suggested approach for option C.
>
> Also, I want to bring to attention the a security testing tool for Fabric that was presented in DEFCON this year. Among other issues, it points to the issue of a shell in chaincode container which is known and is preventable through various controls.
> https://parsiya.net/blog/2018-08-23-committing-insurance-fraud-with-tineola/
> https://github.com/tineola/tineola
>
> It will be useful to develop a Center for Internet Security (CIS) checklist for Fabric and other Hyperledger platforms to help guide developers and security professionals. Happy to start it, but looking for collaborators.
>
>
> Salman A. Baset, Ph.D.
> CTO Security, IBM Blockchain Solutions
> Email. sabaset@...
> Phone. 914.945.2062
>
>
>
>
>
>
> ----- Original message -----
> From: "David Huseby" <@dhuseby>
> Sent by: tsc@...
> To: hyperledger-tsc <hyperledger-tsc@...>
> Cc:
> Subject: [Hyperledger TSC] Bug Bounty Update pt. Deux
> Date: Wed, Sep 5, 2018 5:10 PM
>
> As I mentioned in my update email last Friday, I have been negotiating
> with HackerOne to secure the lowest possible price for the limited PM
> support for our bounty program. To remind you, we need to sign a new
> contract with HackerOne for next year and our options for support are:
>
> A. Full PM and Triage support.
> B. Limited PM support.
> C. Email only support.
>
> I think we should go with options B or C. I was negotiating for the
> best price on B, since C is free. HackerOne quoted $10k for option B.
>
> My recommendation is:
> 1. We go with option C.
> 2. We put the money we save into the bounty pool and a marketing budget.
> 3. We bump up the bounty awards and/or do limited promotional awards.
> 4. We spend some money marketing our bounty program.
>
> Cheers!
> Dave
> ---
> David Huseby
> Security Maven, Hyperledger
> The Linux Foundation
> +1-206-234-2392
> @dhuseby
>
>
>
>
>
>
>

Dave Huseby
 

Hi Dan,

You make some good points and I agree with you. We haven't received
the level of attention that I had hoped for. From the survey that
HackerOne ran, the top two reasons for not looking at Fabric are
"specialization" and "uninteresting" meaning that blockchains are new
and our blockchain doesn't have enough market uptake to make breaking
it a novel and interesting exercise.

I think there are several ideas we can consider for growing the level
of interest:

1) Doing more marketing and running promotional bug hunts where we
temporarily bump up the bounty reward or offer a novel reward like an
all expenses paid trip to the HL Global Forum to present their
findings. (Both of these ideas we're considering already).

2) Increase our bounties to make it worthwhile for somebody to take
the time to gain the specialization needed.

3) We could run live test nets with specific objectives (e.g.
authentication bypass, blockchain rewrite, denial of consensus, crash
a node, etc) that have specific bounties attached.

The third option specifically addresses your point about not having a
live install or fixed installer to target. Regardless of what we do
in the future, we need to do something to grow the interest. I know
that Brian has talked quite a bit about the need for test nets. I'm
all for setting them up. I'm exploring marketing and promotional
ideas with the staff with the intent of bringing a proposal to the
TSC.

Cheers!
Dave

---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby

On Fri, Sep 7, 2018 at 11:16 AM Middleton, Dan <dan.middleton@...> wrote:

Just to play devils advocate here..
We haven't gotten a lot of material benefit from the bounty so far.
In any bounty the incentives have to be proportionate to the illicit incentives.
The HL frameworks may be different than other systems under bug bounties, i.e. there's not a live install or fixed installer to target.

Is there something else that we can do with this funding that would better secure our frameworks?

Thanks,
Dan

On 9/7/18, 12:54 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of @dhuseby> wrote:

Hi Salman,

Thank you for the heads up. I am aware of the tool. I mentioned it in
a recent RSA Webinar on blockchain security. The chaincode pivot
attack was also identified by Nettitude when they did the security
audit of Fabric last October.

I have been having an email conversation with the authors of Tineola
and we have a phone meeting coming up to discus the future of the
project.

Cheers!
Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby

On Fri, Sep 7, 2018 at 8:25 AM Salman A Baset <sabaset@...> wrote:
>
> Hi David,
>
> I agree with your suggested approach for option C.
>
> Also, I want to bring to attention the a security testing tool for Fabric that was presented in DEFCON this year. Among other issues, it points to the issue of a shell in chaincode container which is known and is preventable through various controls.
> https://parsiya.net/blog/2018-08-23-committing-insurance-fraud-with-tineola/
> https://github.com/tineola/tineola
>
> It will be useful to develop a Center for Internet Security (CIS) checklist for Fabric and other Hyperledger platforms to help guide developers and security professionals. Happy to start it, but looking for collaborators.
>
>
> Salman A. Baset, Ph.D.
> CTO Security, IBM Blockchain Solutions
> Email. sabaset@...
> Phone. 914.945.2062
>
>
>
>
>
>
> ----- Original message -----
> From: "David Huseby" <@dhuseby>
> Sent by: tsc@...
> To: hyperledger-tsc <hyperledger-tsc@...>
> Cc:
> Subject: [Hyperledger TSC] Bug Bounty Update pt. Deux
> Date: Wed, Sep 5, 2018 5:10 PM
>
> As I mentioned in my update email last Friday, I have been negotiating
> with HackerOne to secure the lowest possible price for the limited PM
> support for our bounty program. To remind you, we need to sign a new
> contract with HackerOne for next year and our options for support are:
>
> A. Full PM and Triage support.
> B. Limited PM support.
> C. Email only support.
>
> I think we should go with options B or C. I was negotiating for the
> best price on B, since C is free. HackerOne quoted $10k for option B.
>
> My recommendation is:
> 1. We go with option C.
> 2. We put the money we save into the bounty pool and a marketing budget.
> 3. We bump up the bounty awards and/or do limited promotional awards.
> 4. We spend some money marketing our bounty program.
>
> Cheers!
> Dave
> ---
> David Huseby
> Security Maven, Hyperledger
> The Linux Foundation
> +1-206-234-2392
> @dhuseby
>
>
>
>
>
>
>




Middleton, Dan
 

Good thoughts, Dave.
I like the idea of putting this bounty budget towards test nets and / or more 3rd party code reviews.
We could return to a bounty program in, maybe a year, after the test nets etc. have had their effect.

Thanks,
Dan

On 9/7/18, 4:11 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of @dhuseby> wrote:

Hi Dan,

You make some good points and I agree with you. We haven't received
the level of attention that I had hoped for. From the survey that
HackerOne ran, the top two reasons for not looking at Fabric are
"specialization" and "uninteresting" meaning that blockchains are new
and our blockchain doesn't have enough market uptake to make breaking
it a novel and interesting exercise.

I think there are several ideas we can consider for growing the level
of interest:

1) Doing more marketing and running promotional bug hunts where we
temporarily bump up the bounty reward or offer a novel reward like an
all expenses paid trip to the HL Global Forum to present their
findings. (Both of these ideas we're considering already).

2) Increase our bounties to make it worthwhile for somebody to take
the time to gain the specialization needed.

3) We could run live test nets with specific objectives (e.g.
authentication bypass, blockchain rewrite, denial of consensus, crash
a node, etc) that have specific bounties attached.

The third option specifically addresses your point about not having a
live install or fixed installer to target. Regardless of what we do
in the future, we need to do something to grow the interest. I know
that Brian has talked quite a bit about the need for test nets. I'm
all for setting them up. I'm exploring marketing and promotional
ideas with the staff with the intent of bringing a proposal to the
TSC.

Cheers!
Dave

---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby

On Fri, Sep 7, 2018 at 11:16 AM Middleton, Dan <dan.middleton@...> wrote:
>
> Just to play devils advocate here..
> We haven't gotten a lot of material benefit from the bounty so far.
> In any bounty the incentives have to be proportionate to the illicit incentives.
> The HL frameworks may be different than other systems under bug bounties, i.e. there's not a live install or fixed installer to target.
>
> Is there something else that we can do with this funding that would better secure our frameworks?
>
> Thanks,
> Dan
>
> On 9/7/18, 12:54 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of @dhuseby> wrote:
>
> Hi Salman,
>
> Thank you for the heads up. I am aware of the tool. I mentioned it in
> a recent RSA Webinar on blockchain security. The chaincode pivot
> attack was also identified by Nettitude when they did the security
> audit of Fabric last October.
>
> I have been having an email conversation with the authors of Tineola
> and we have a phone meeting coming up to discus the future of the
> project.
>
> Cheers!
> Dave
> ---
> David Huseby
> Security Maven, Hyperledger
> The Linux Foundation
> +1-206-234-2392
> @dhuseby
>
> On Fri, Sep 7, 2018 at 8:25 AM Salman A Baset <sabaset@...> wrote:
> >
> > Hi David,
> >
> > I agree with your suggested approach for option C.
> >
> > Also, I want to bring to attention the a security testing tool for Fabric that was presented in DEFCON this year. Among other issues, it points to the issue of a shell in chaincode container which is known and is preventable through various controls.
> > https://parsiya.net/blog/2018-08-23-committing-insurance-fraud-with-tineola/
> > https://github.com/tineola/tineola
> >
> > It will be useful to develop a Center for Internet Security (CIS) checklist for Fabric and other Hyperledger platforms to help guide developers and security professionals. Happy to start it, but looking for collaborators.
> >
> >
> > Salman A. Baset, Ph.D.
> > CTO Security, IBM Blockchain Solutions
> > Email. sabaset@...
> > Phone. 914.945.2062
> >
> >
> >
> >
> >
> >
> > ----- Original message -----
> > From: "David Huseby" <@dhuseby>
> > Sent by: tsc@...
> > To: hyperledger-tsc <hyperledger-tsc@...>
> > Cc:
> > Subject: [Hyperledger TSC] Bug Bounty Update pt. Deux
> > Date: Wed, Sep 5, 2018 5:10 PM
> >
> > As I mentioned in my update email last Friday, I have been negotiating
> > with HackerOne to secure the lowest possible price for the limited PM
> > support for our bounty program. To remind you, we need to sign a new
> > contract with HackerOne for next year and our options for support are:
> >
> > A. Full PM and Triage support.
> > B. Limited PM support.
> > C. Email only support.
> >
> > I think we should go with options B or C. I was negotiating for the
> > best price on B, since C is free. HackerOne quoted $10k for option B.
> >
> > My recommendation is:
> > 1. We go with option C.
> > 2. We put the money we save into the bounty pool and a marketing budget.
> > 3. We bump up the bounty awards and/or do limited promotional awards.
> > 4. We spend some money marketing our bounty program.
> >
> > Cheers!
> > Dave
> > ---
> > David Huseby
> > Security Maven, Hyperledger
> > The Linux Foundation
> > +1-206-234-2392
> > @dhuseby
> >
> >
> >
> >
> >
> >
> >
>
>
>
>
>

Dave Huseby
 

Hi Dan,

Just to clarify, you're talking about the $10k of Hyperledger budget
that would have been spent on HackerOne services right? The other
money in the Fabric bug bounty was donated by IBM for the purpose of
paying bounties and needs to stay there.

The other question is regarding expansion of the bug bounty program to
include Sawtooth, Iroha, and Indy. In the past we have asked for
donations from our sponsors to fund the bounty budget. Since we're
heading into the budget season for HL, we need to decide:

1) Are we going to expand to include the other frameworks?
1.b) If so, then how will we fund them?
1.c) If not, then do we focus on test nets for those frameworks and do
a limited bug bounty or none at all?

I am all for setting up test nets and bug bounties. I think both are
important pillars of a well-rounded security program.
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby

On Sat, Sep 8, 2018 at 8:25 AM Middleton, Dan <dan.middleton@...> wrote:

Good thoughts, Dave.
I like the idea of putting this bounty budget towards test nets and / or more 3rd party code reviews.
We could return to a bounty program in, maybe a year, after the test nets etc. have had their effect.

Thanks,
Dan

On 9/7/18, 4:11 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of @dhuseby> wrote:

Hi Dan,

You make some good points and I agree with you. We haven't received
the level of attention that I had hoped for. From the survey that
HackerOne ran, the top two reasons for not looking at Fabric are
"specialization" and "uninteresting" meaning that blockchains are new
and our blockchain doesn't have enough market uptake to make breaking
it a novel and interesting exercise.

I think there are several ideas we can consider for growing the level
of interest:

1) Doing more marketing and running promotional bug hunts where we
temporarily bump up the bounty reward or offer a novel reward like an
all expenses paid trip to the HL Global Forum to present their
findings. (Both of these ideas we're considering already).

2) Increase our bounties to make it worthwhile for somebody to take
the time to gain the specialization needed.

3) We could run live test nets with specific objectives (e.g.
authentication bypass, blockchain rewrite, denial of consensus, crash
a node, etc) that have specific bounties attached.

The third option specifically addresses your point about not having a
live install or fixed installer to target. Regardless of what we do
in the future, we need to do something to grow the interest. I know
that Brian has talked quite a bit about the need for test nets. I'm
all for setting them up. I'm exploring marketing and promotional
ideas with the staff with the intent of bringing a proposal to the
TSC.

Cheers!
Dave

---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby
On Fri, Sep 7, 2018 at 11:16 AM Middleton, Dan <dan.middleton@...> wrote:
>
> Just to play devils advocate here..
> We haven't gotten a lot of material benefit from the bounty so far.
> In any bounty the incentives have to be proportionate to the illicit incentives.
> The HL frameworks may be different than other systems under bug bounties, i.e. there's not a live install or fixed installer to target.
>
> Is there something else that we can do with this funding that would better secure our frameworks?
>
> Thanks,
> Dan
>
> On 9/7/18, 12:54 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of @dhuseby> wrote:
>
> Hi Salman,
>
> Thank you for the heads up. I am aware of the tool. I mentioned it in
> a recent RSA Webinar on blockchain security. The chaincode pivot
> attack was also identified by Nettitude when they did the security
> audit of Fabric last October.
>
> I have been having an email conversation with the authors of Tineola
> and we have a phone meeting coming up to discus the future of the
> project.
>
> Cheers!
> Dave
> ---
> David Huseby
> Security Maven, Hyperledger
> The Linux Foundation
> +1-206-234-2392
> @dhuseby
>
> On Fri, Sep 7, 2018 at 8:25 AM Salman A Baset <sabaset@...> wrote:
> >
> > Hi David,
> >
> > I agree with your suggested approach for option C.
> >
> > Also, I want to bring to attention the a security testing tool for Fabric that was presented in DEFCON this year. Among other issues, it points to the issue of a shell in chaincode container which is known and is preventable through various controls.
> > https://parsiya.net/blog/2018-08-23-committing-insurance-fraud-with-tineola/
> > https://github.com/tineola/tineola
> >
> > It will be useful to develop a Center for Internet Security (CIS) checklist for Fabric and other Hyperledger platforms to help guide developers and security professionals. Happy to start it, but looking for collaborators.
> >
> >
> > Salman A. Baset, Ph.D.
> > CTO Security, IBM Blockchain Solutions
> > Email. sabaset@...
> > Phone. 914.945.2062
> >
> >
> >
> >
> >
> >
> > ----- Original message -----
> > From: "David Huseby" <@dhuseby>
> > Sent by: tsc@...
> > To: hyperledger-tsc <hyperledger-tsc@...>
> > Cc:
> > Subject: [Hyperledger TSC] Bug Bounty Update pt. Deux
> > Date: Wed, Sep 5, 2018 5:10 PM
> >
> > As I mentioned in my update email last Friday, I have been negotiating
> > with HackerOne to secure the lowest possible price for the limited PM
> > support for our bounty program. To remind you, we need to sign a new
> > contract with HackerOne for next year and our options for support are:
> >
> > A. Full PM and Triage support.
> > B. Limited PM support.
> > C. Email only support.
> >
> > I think we should go with options B or C. I was negotiating for the
> > best price on B, since C is free. HackerOne quoted $10k for option B.
> >
> > My recommendation is:
> > 1. We go with option C.
> > 2. We put the money we save into the bounty pool and a marketing budget.
> > 3. We bump up the bounty awards and/or do limited promotional awards.
> > 4. We spend some money marketing our bounty program.
> >
> > Cheers!
> > Dave
> > ---
> > David Huseby
> > Security Maven, Hyperledger
> > The Linux Foundation
> > +1-206-234-2392
> > @dhuseby
> >
> >
> >
> >
> >
> >
> >
>
>
>
>
>




Dave Huseby
 

Thank you Dan for your feedback, does anybody else have any thoughts
on the future of our bug bounty program? If we have the discussion
here on the mailing list then we can avoid taking up the precious TSC
call time.

Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby

On Sat, Sep 8, 2018 at 8:25 AM Middleton, Dan <dan.middleton@...> wrote:

Good thoughts, Dave.
I like the idea of putting this bounty budget towards test nets and / or more 3rd party code reviews.
We could return to a bounty program in, maybe a year, after the test nets etc. have had their effect.

Thanks,
Dan

On 9/7/18, 4:11 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of @dhuseby> wrote:

Hi Dan,

You make some good points and I agree with you. We haven't received
the level of attention that I had hoped for. From the survey that
HackerOne ran, the top two reasons for not looking at Fabric are
"specialization" and "uninteresting" meaning that blockchains are new
and our blockchain doesn't have enough market uptake to make breaking
it a novel and interesting exercise.

I think there are several ideas we can consider for growing the level
of interest:

1) Doing more marketing and running promotional bug hunts where we
temporarily bump up the bounty reward or offer a novel reward like an
all expenses paid trip to the HL Global Forum to present their
findings. (Both of these ideas we're considering already).

2) Increase our bounties to make it worthwhile for somebody to take
the time to gain the specialization needed.

3) We could run live test nets with specific objectives (e.g.
authentication bypass, blockchain rewrite, denial of consensus, crash
a node, etc) that have specific bounties attached.

The third option specifically addresses your point about not having a
live install or fixed installer to target. Regardless of what we do
in the future, we need to do something to grow the interest. I know
that Brian has talked quite a bit about the need for test nets. I'm
all for setting them up. I'm exploring marketing and promotional
ideas with the staff with the intent of bringing a proposal to the
TSC.

Cheers!
Dave

---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby
On Fri, Sep 7, 2018 at 11:16 AM Middleton, Dan <dan.middleton@...> wrote:
>
> Just to play devils advocate here..
> We haven't gotten a lot of material benefit from the bounty so far.
> In any bounty the incentives have to be proportionate to the illicit incentives.
> The HL frameworks may be different than other systems under bug bounties, i.e. there's not a live install or fixed installer to target.
>
> Is there something else that we can do with this funding that would better secure our frameworks?
>
> Thanks,
> Dan
>
> On 9/7/18, 12:54 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of @dhuseby> wrote:
>
> Hi Salman,
>
> Thank you for the heads up. I am aware of the tool. I mentioned it in
> a recent RSA Webinar on blockchain security. The chaincode pivot
> attack was also identified by Nettitude when they did the security
> audit of Fabric last October.
>
> I have been having an email conversation with the authors of Tineola
> and we have a phone meeting coming up to discus the future of the
> project.
>
> Cheers!
> Dave
> ---
> David Huseby
> Security Maven, Hyperledger
> The Linux Foundation
> +1-206-234-2392
> @dhuseby
>
> On Fri, Sep 7, 2018 at 8:25 AM Salman A Baset <sabaset@...> wrote:
> >
> > Hi David,
> >
> > I agree with your suggested approach for option C.
> >
> > Also, I want to bring to attention the a security testing tool for Fabric that was presented in DEFCON this year. Among other issues, it points to the issue of a shell in chaincode container which is known and is preventable through various controls.
> > https://parsiya.net/blog/2018-08-23-committing-insurance-fraud-with-tineola/
> > https://github.com/tineola/tineola
> >
> > It will be useful to develop a Center for Internet Security (CIS) checklist for Fabric and other Hyperledger platforms to help guide developers and security professionals. Happy to start it, but looking for collaborators.
> >
> >
> > Salman A. Baset, Ph.D.
> > CTO Security, IBM Blockchain Solutions
> > Email. sabaset@...
> > Phone. 914.945.2062
> >
> >
> >
> >
> >
> >
> > ----- Original message -----
> > From: "David Huseby" <@dhuseby>
> > Sent by: tsc@...
> > To: hyperledger-tsc <hyperledger-tsc@...>
> > Cc:
> > Subject: [Hyperledger TSC] Bug Bounty Update pt. Deux
> > Date: Wed, Sep 5, 2018 5:10 PM
> >
> > As I mentioned in my update email last Friday, I have been negotiating
> > with HackerOne to secure the lowest possible price for the limited PM
> > support for our bounty program. To remind you, we need to sign a new
> > contract with HackerOne for next year and our options for support are:
> >
> > A. Full PM and Triage support.
> > B. Limited PM support.
> > C. Email only support.
> >
> > I think we should go with options B or C. I was negotiating for the
> > best price on B, since C is free. HackerOne quoted $10k for option B.
> >
> > My recommendation is:
> > 1. We go with option C.
> > 2. We put the money we save into the bounty pool and a marketing budget.
> > 3. We bump up the bounty awards and/or do limited promotional awards.
> > 4. We spend some money marketing our bounty program.
> >
> > Cheers!
> > Dave
> > ---
> > David Huseby
> > Security Maven, Hyperledger
> > The Linux Foundation
> > +1-206-234-2392
> > @dhuseby
> >
> >
> >
> >
> >
> >
> >
>
>
>
>
>




Arnaud Le Hors
 

Hi,
I'm also in favor of switching to only email support and redirect our resources towards setting up test nets. I think this is likely to be a more valuable investment.
Thanks.
--
Arnaud  Le Hors - Senior Technical Staff Member, Web & Blockchain Open Technologies - IBM




From:        "David Huseby" <dhuseby@...>
To:        hyperledger-tsc <hyperledger-tsc@...>
Date:        09/10/2018 07:58 PM
Subject:        Re: [Hyperledger TSC] Bug Bounty Update pt. Deux
Sent by:        tsc@...




Thank you Dan for your feedback, does anybody else have any thoughts
on the future of our bug bounty program?  If we have the discussion
here on the mailing list then we can avoid taking up the precious TSC
call time.

Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...


On Sat, Sep 8, 2018 at 8:25 AM Middleton, Dan <dan.middleton@...> wrote:
>
> Good thoughts, Dave.
> I like the idea of putting this bounty budget towards test nets and / or more 3rd party code reviews.
> We could return to a bounty program in, maybe a year, after the test nets etc. have had their effect.
>
> Thanks,
> Dan
>
> On 9/7/18, 4:11 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of dhuseby@...> wrote:
>
>     Hi Dan,
>
>     You make some good points and I agree with you.  We haven't received
>     the level of attention that I had hoped for.  From the survey that
>     HackerOne ran, the top two reasons for not looking at Fabric are
>     "specialization" and "uninteresting" meaning that blockchains are new
>     and our blockchain doesn't have enough market uptake to make breaking
>     it a novel and interesting exercise.
>
>     I think there are several ideas we can consider for growing the level
>     of interest:
>
>     1) Doing more marketing and running promotional bug hunts where we
>     temporarily bump up the bounty reward or offer a novel reward like an
>     all expenses paid trip to the HL Global Forum to present their
>     findings.  (Both of these ideas we're considering already).
>
>     2) Increase our bounties to make it worthwhile for somebody to take
>     the time to gain the specialization needed.
>
>     3) We could run live test nets with specific objectives (e.g.
>     authentication bypass, blockchain rewrite, denial of consensus, crash
>     a node, etc) that have specific bounties attached.
>
>     The third option specifically addresses your point about not having a
>     live install or fixed installer to target.  Regardless of what we do
>     in the future, we need to do something to grow the interest.  I know
>     that Brian has talked quite a bit about the need for test nets.  I'm
>     all for setting them up.  I'm exploring marketing and promotional
>     ideas with the staff with the intent of bringing a proposal to the
>     TSC.
>
>     Cheers!
>     Dave
>
>     ---
>     David Huseby
>     Security Maven, Hyperledger
>     The Linux Foundation
>     +1-206-234-2392
>     dhuseby@...
>     On Fri, Sep 7, 2018 at 11:16 AM Middleton, Dan <dan.middleton@...> wrote:
>     >
>     > Just to play devils advocate here..
>     > We haven't gotten a lot of material benefit from the bounty so far.
>     > In any bounty the incentives have to be proportionate to the illicit incentives.
>     > The HL frameworks may be different than other systems under bug bounties, i.e. there's not a live install or fixed installer to target.
>     >
>     > Is there something else that we can do with this funding that would better secure our frameworks?
>     >
>     > Thanks,
>     > Dan
>     >
>     > On 9/7/18, 12:54 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of dhuseby@...> wrote:
>     >
>     >     Hi Salman,
>     >
>     >     Thank you for the heads up.  I am aware of the tool. I mentioned it in
>     >     a recent RSA Webinar on blockchain security.  The chaincode pivot
>     >     attack was also identified by Nettitude when they did the security
>     >     audit of Fabric last October.
>     >
>     >     I have been having an email conversation with the authors of Tineola
>     >     and we have a phone meeting coming up to discus the future of the
>     >     project.
>     >
>     >     Cheers!
>     >     Dave
>     >     ---
>     >     David Huseby
>     >     Security Maven, Hyperledger
>     >     The Linux Foundation
>     >     +1-206-234-2392
>     >     dhuseby@...
>     >
>     >     On Fri, Sep 7, 2018 at 8:25 AM Salman A Baset <sabaset@...> wrote:
>     >     >
>     >     > Hi David,
>     >     >
>     >     > I agree with your suggested approach for option C.
>     >     >
>     >     > Also, I want to bring to attention the a security testing tool for Fabric that was presented in DEFCON this year. Among other issues, it points to the issue of a shell in chaincode container which is known and is preventable through various controls.
>     >     > https://parsiya.net/blog/2018-08-23-committing-insurance-fraud-with-tineola/
>     >     >
https://github.com/tineola/tineola
>     >     >
>     >     > It will be useful to develop a Center for Internet Security (CIS) checklist for Fabric and other Hyperledger platforms to help guide developers and security professionals. Happy to start it, but looking for collaborators.
>     >     >
>     >     >
>     >     > Salman A. Baset, Ph.D.
>     >     > CTO Security, IBM Blockchain Solutions
>     >     > Email. sabaset@...
>     >     > Phone. 914.945.2062
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     > ----- Original message -----
>     >     > From: "David Huseby" <dhuseby@...>
>     >     > Sent by: tsc@...
>     >     > To: hyperledger-tsc <hyperledger-tsc@...>
>     >     > Cc:
>     >     > Subject: [Hyperledger TSC] Bug Bounty Update pt. Deux
>     >     > Date: Wed, Sep 5, 2018 5:10 PM
>     >     >
>     >     > As I mentioned in my update email last Friday, I have been negotiating
>     >     > with HackerOne to secure the lowest possible price for the limited PM
>     >     > support for our bounty program.  To remind you, we need to sign a new
>     >     > contract with HackerOne for next year and our options for support are:
>     >     >
>     >     >   A. Full PM and Triage support.
>     >     >   B. Limited PM support.
>     >     >   C. Email only support.
>     >     >
>     >     > I think we should go with options B or C.  I was negotiating for the
>     >     > best price on B, since C is free.  HackerOne quoted $10k for option B.
>     >     >
>     >     > My recommendation is:
>     >     >   1. We go with option C.
>     >     >   2. We put the money we save into the bounty pool and a marketing budget.
>     >     >   3. We bump up the bounty awards and/or do limited promotional awards.
>     >     >   4. We spend some money marketing our bounty program.
>     >     >
>     >     > Cheers!
>     >     > Dave
>     >     > ---
>     >     > David Huseby
>     >     > Security Maven, Hyperledger
>     >     > The Linux Foundation
>     >     > +1-206-234-2392
>     >     > dhuseby@...
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >
>     >
>     >
>     >
>     >
>
>    
>
>
>







Silas Davis
 

Based on David's and Chris' remarks on the value provided by the paid service than ditching it would also get my vote.


On Tue, Sep 11, 2018 at 11:03 AM Arnaud Le Hors <lehors@...> wrote:
Hi,
I'm also in favor of switching to only email support and redirect our resources towards setting up test nets. I think this is likely to be a more valuable investment.
Thanks.
--
Arnaud  Le Hors - Senior Technical Staff Member, Web & Blockchain Open Technologies - IBM




From:        "David Huseby" <dhuseby@...>
To:        hyperledger-tsc <hyperledger-tsc@...>
Date:        09/10/2018 07:58 PM
Subject:        Re: [Hyperledger TSC] Bug Bounty Update pt. Deux
Sent by:        tsc@...




Thank you Dan for your feedback, does anybody else have any thoughts
on the future of our bug bounty program?  If we have the discussion
here on the mailing list then we can avoid taking up the precious TSC
call time.

Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...

On Sat, Sep 8, 2018 at 8:25 AM Middleton, Dan <dan.middleton@...> wrote:
>
> Good thoughts, Dave.
> I like the idea of putting this bounty budget towards test nets and / or more 3rd party code reviews.
> We could return to a bounty program in, maybe a year, after the test nets etc. have had their effect.
>
> Thanks,
> Dan
>
> On 9/7/18, 4:11 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of dhuseby@...> wrote:
>
>     Hi Dan,
>
>     You make some good points and I agree with you.  We haven't received
>     the level of attention that I had hoped for.  From the survey that
>     HackerOne ran, the top two reasons for not looking at Fabric are
>     "specialization" and "uninteresting" meaning that blockchains are new
>     and our blockchain doesn't have enough market uptake to make breaking
>     it a novel and interesting exercise.
>
>     I think there are several ideas we can consider for growing the level
>     of interest:
>
>     1) Doing more marketing and running promotional bug hunts where we
>     temporarily bump up the bounty reward or offer a novel reward like an
>     all expenses paid trip to the HL Global Forum to present their
>     findings.  (Both of these ideas we're considering already).
>
>     2) Increase our bounties to make it worthwhile for somebody to take
>     the time to gain the specialization needed.
>
>     3) We could run live test nets with specific objectives (e.g.
>     authentication bypass, blockchain rewrite, denial of consensus, crash
>     a node, etc) that have specific bounties attached.
>
>     The third option specifically addresses your point about not having a
>     live install or fixed installer to target.  Regardless of what we do
>     in the future, we need to do something to grow the interest.  I know
>     that Brian has talked quite a bit about the need for test nets.  I'm
>     all for setting them up.  I'm exploring marketing and promotional
>     ideas with the staff with the intent of bringing a proposal to the
>     TSC.
>
>     Cheers!
>     Dave
>
>     ---
>     David Huseby
>     Security Maven, Hyperledger
>     The Linux Foundation
>     +1-206-234-2392
>     dhuseby@...
>     On Fri, Sep 7, 2018 at 11:16 AM Middleton, Dan <dan.middleton@...> wrote:
>     >
>     > Just to play devils advocate here..
>     > We haven't gotten a lot of material benefit from the bounty so far.
>     > In any bounty the incentives have to be proportionate to the illicit incentives.
>     > The HL frameworks may be different than other systems under bug bounties, i.e. there's not a live install or fixed installer to target.
>     >
>     > Is there something else that we can do with this funding that would better secure our frameworks?
>     >
>     > Thanks,
>     > Dan
>     >
>     > On 9/7/18, 12:54 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of dhuseby@...> wrote:
>     >
>     >     Hi Salman,
>     >
>     >     Thank you for the heads up.  I am aware of the tool. I mentioned it in
>     >     a recent RSA Webinar on blockchain security.  The chaincode pivot
>     >     attack was also identified by Nettitude when they did the security
>     >     audit of Fabric last October.
>     >
>     >     I have been having an email conversation with the authors of Tineola
>     >     and we have a phone meeting coming up to discus the future of the
>     >     project.
>     >
>     >     Cheers!
>     >     Dave
>     >     ---
>     >     David Huseby
>     >     Security Maven, Hyperledger
>     >     The Linux Foundation
>     >     +1-206-234-2392
>     >     dhuseby@...
>     >
>     >     On Fri, Sep 7, 2018 at 8:25 AM Salman A Baset <sabaset@...> wrote:
>     >     >
>     >     > Hi David,
>     >     >
>     >     > I agree with your suggested approach for option C.
>     >     >
>     >     > Also, I want to bring to attention the a security testing tool for Fabric that was presented in DEFCON this year. Among other issues, it points to the issue of a shell in chaincode container which is known and is preventable through various controls.
>     >     >
https://parsiya.net/blog/2018-08-23-committing-insurance-fraud-with-tineola/
>     >     >
https://github.com/tineola/tineola
>     >     >
>     >     > It will be useful to develop a Center for Internet Security (CIS) checklist for Fabric and other Hyperledger platforms to help guide developers and security professionals. Happy to start it, but looking for collaborators.
>     >     >
>     >     >
>     >     > Salman A. Baset, Ph.D.
>     >     > CTO Security, IBM Blockchain Solutions
>     >     > Email. sabaset@...
>     >     > Phone. 914.945.2062
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     > ----- Original message -----
>     >     > From: "David Huseby" <dhuseby@...>
>     >     > Sent by: tsc@...
>     >     > To: hyperledger-tsc <hyperledger-tsc@...>
>     >     > Cc:
>     >     > Subject: [Hyperledger TSC] Bug Bounty Update pt. Deux
>     >     > Date: Wed, Sep 5, 2018 5:10 PM
>     >     >
>     >     > As I mentioned in my update email last Friday, I have been negotiating
>     >     > with HackerOne to secure the lowest possible price for the limited PM
>     >     > support for our bounty program.  To remind you, we need to sign a new
>     >     > contract with HackerOne for next year and our options for support are:
>     >     >
>     >     >   A. Full PM and Triage support.
>     >     >   B. Limited PM support.
>     >     >   C. Email only support.
>     >     >
>     >     > I think we should go with options B or C.  I was negotiating for the
>     >     > best price on B, since C is free.  HackerOne quoted $10k for option B.
>     >     >
>     >     > My recommendation is:
>     >     >   1. We go with option C.
>     >     >   2. We put the money we save into the bounty pool and a marketing budget.
>     >     >   3. We bump up the bounty awards and/or do limited promotional awards.
>     >     >   4. We spend some money marketing our bounty program.
>     >     >
>     >     > Cheers!
>     >     > Dave
>     >     > ---
>     >     > David Huseby
>     >     > Security Maven, Hyperledger
>     >     > The Linux Foundation
>     >     > +1-206-234-2392
>     >     > dhuseby@...
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >
>     >
>     >
>     >
>     >
>
>    
>
>
>







Dave Huseby
 

Thanks Arnaud and Silas, I think dropping paid H1 support is our best
option. We have a group of great engineers volunteering for the
security team that can easily cover the triage.

Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby

On Mon, Sep 24, 2018 at 3:02 AM Silas Davis <silas@...> wrote:

Based on David's and Chris' remarks on the value provided by the paid service than ditching it would also get my vote.

On Tue, Sep 11, 2018 at 11:03 AM Arnaud Le Hors <lehors@...> wrote:

Hi,
I'm also in favor of switching to only email support and redirect our resources towards setting up test nets. I think this is likely to be a more valuable investment.
Thanks.
--
Arnaud Le Hors - Senior Technical Staff Member, Web & Blockchain Open Technologies - IBM




From: "David Huseby" <@dhuseby>
To: hyperledger-tsc <hyperledger-tsc@...>
Date: 09/10/2018 07:58 PM
Subject: Re: [Hyperledger TSC] Bug Bounty Update pt. Deux
Sent by: tsc@...
________________________________



Thank you Dan for your feedback, does anybody else have any thoughts
on the future of our bug bounty program? If we have the discussion
here on the mailing list then we can avoid taking up the precious TSC
call time.

Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby

On Sat, Sep 8, 2018 at 8:25 AM Middleton, Dan <dan.middleton@...> wrote:

Good thoughts, Dave.
I like the idea of putting this bounty budget towards test nets and / or more 3rd party code reviews.
We could return to a bounty program in, maybe a year, after the test nets etc. have had their effect.

Thanks,
Dan

On 9/7/18, 4:11 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of @dhuseby> wrote:

Hi Dan,

You make some good points and I agree with you. We haven't received
the level of attention that I had hoped for. From the survey that
HackerOne ran, the top two reasons for not looking at Fabric are
"specialization" and "uninteresting" meaning that blockchains are new
and our blockchain doesn't have enough market uptake to make breaking
it a novel and interesting exercise.

I think there are several ideas we can consider for growing the level
of interest:

1) Doing more marketing and running promotional bug hunts where we
temporarily bump up the bounty reward or offer a novel reward like an
all expenses paid trip to the HL Global Forum to present their
findings. (Both of these ideas we're considering already).

2) Increase our bounties to make it worthwhile for somebody to take
the time to gain the specialization needed.

3) We could run live test nets with specific objectives (e.g.
authentication bypass, blockchain rewrite, denial of consensus, crash
a node, etc) that have specific bounties attached.

The third option specifically addresses your point about not having a
live install or fixed installer to target. Regardless of what we do
in the future, we need to do something to grow the interest. I know
that Brian has talked quite a bit about the need for test nets. I'm
all for setting them up. I'm exploring marketing and promotional
ideas with the staff with the intent of bringing a proposal to the
TSC.

Cheers!
Dave

---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby
On Fri, Sep 7, 2018 at 11:16 AM Middleton, Dan <dan.middleton@...> wrote:
>
> Just to play devils advocate here..
> We haven't gotten a lot of material benefit from the bounty so far.
> In any bounty the incentives have to be proportionate to the illicit incentives.
> The HL frameworks may be different than other systems under bug bounties, i.e. there's not a live install or fixed installer to target.
>
> Is there something else that we can do with this funding that would better secure our frameworks?
>
> Thanks,
> Dan
>
> On 9/7/18, 12:54 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of @dhuseby> wrote:
>
> Hi Salman,
>
> Thank you for the heads up. I am aware of the tool. I mentioned it in
> a recent RSA Webinar on blockchain security. The chaincode pivot
> attack was also identified by Nettitude when they did the security
> audit of Fabric last October.
>
> I have been having an email conversation with the authors of Tineola
> and we have a phone meeting coming up to discus the future of the
> project.
>
> Cheers!
> Dave
> ---
> David Huseby
> Security Maven, Hyperledger
> The Linux Foundation
> +1-206-234-2392
> @dhuseby
>
> On Fri, Sep 7, 2018 at 8:25 AM Salman A Baset <sabaset@...> wrote:
> >
> > Hi David,
> >
> > I agree with your suggested approach for option C.
> >
> > Also, I want to bring to attention the a security testing tool for Fabric that was presented in DEFCON this year. Among other issues, it points to the issue of a shell in chaincode container which is known and is preventable through various controls.
> > https://parsiya.net/blog/2018-08-23-committing-insurance-fraud-with-tineola/
> > https://github.com/tineola/tineola
> >
> > It will be useful to develop a Center for Internet Security (CIS) checklist for Fabric and other Hyperledger platforms to help guide developers and security professionals. Happy to start it, but looking for collaborators.
> >
> >
> > Salman A. Baset, Ph.D.
> > CTO Security, IBM Blockchain Solutions
> > Email. sabaset@...
> > Phone. 914.945.2062
> >
> >
> >
> >
> >
> >
> > ----- Original message -----
> > From: "David Huseby" <@dhuseby>
> > Sent by: tsc@...
> > To: hyperledger-tsc <hyperledger-tsc@...>
> > Cc:
> > Subject: [Hyperledger TSC] Bug Bounty Update pt. Deux
> > Date: Wed, Sep 5, 2018 5:10 PM
> >
> > As I mentioned in my update email last Friday, I have been negotiating
> > with HackerOne to secure the lowest possible price for the limited PM
> > support for our bounty program. To remind you, we need to sign a new
> > contract with HackerOne for next year and our options for support are:
> >
> > A. Full PM and Triage support.
> > B. Limited PM support.
> > C. Email only support.
> >
> > I think we should go with options B or C. I was negotiating for the
> > best price on B, since C is free. HackerOne quoted $10k for option B.
> >
> > My recommendation is:
> > 1. We go with option C.
> > 2. We put the money we save into the bounty pool and a marketing budget.
> > 3. We bump up the bounty awards and/or do limited promotional awards.
> > 4. We spend some money marketing our bounty program.
> >
> > Cheers!
> > Dave
> > ---
> > David Huseby
> > Security Maven, Hyperledger
> > The Linux Foundation
> > +1-206-234-2392
> > @dhuseby
> >
> >
> >
> >
> >
> >
> >
>
>
>
>
>










Mic Bowman
 

+1

 

From: tsc@... [mailto:tsc@...] On Behalf Of Arnaud Le Hors
Sent: Tuesday, September 11, 2018 3:02 AM
To: David Huseby <dhuseby@...>
Cc: hyperledger-tsc <hyperledger-tsc@...>
Subject: Re: [Hyperledger TSC] Bug Bounty Update pt. Deux

 

Hi,
I'm also in favor of switching to only email support and redirect our resources towards setting up test nets. I think this is likely to be a more valuable investment.
Thanks.
--
Arnaud  Le Hors - Senior Technical Staff Member, Web & Blockchain Open Technologies - IBM




From:        "David Huseby" <dhuseby@...>
To:        hyperledger-tsc <hyperledger-tsc@...>
Date:        09/10/2018 07:58 PM
Subject:        Re: [Hyperledger TSC] Bug Bounty Update pt. Deux
Sent by:        tsc@...





Thank you Dan for your feedback, does anybody else have any thoughts
on the future of our bug bounty program?  If we have the discussion
here on the mailing list then we can avoid taking up the precious TSC
call time.

Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...

On Sat, Sep 8, 2018 at 8:25 AM Middleton, Dan <dan.middleton@...> wrote:
>
> Good thoughts, Dave.
> I like the idea of putting this bounty budget towards test nets and / or more 3rd party code reviews.
> We could return to a bounty program in, maybe a year, after the test nets etc. have had their effect.
>
> Thanks,
> Dan
>
> On 9/7/18, 4:11 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of dhuseby@...> wrote:
>
>     Hi Dan,
>
>     You make some good points and I agree with you.  We haven't received
>     the level of attention that I had hoped for.  From the survey that
>     HackerOne ran, the top two reasons for not looking at Fabric are
>     "specialization" and "uninteresting" meaning that blockchains are new
>     and our blockchain doesn't have enough market uptake to make breaking
>     it a novel and interesting exercise.
>
>     I think there are several ideas we can consider for growing the level
>     of interest:
>
>     1) Doing more marketing and running promotional bug hunts where we
>     temporarily bump up the bounty reward or offer a novel reward like an
>     all expenses paid trip to the HL Global Forum to present their
>     findings.  (Both of these ideas we're considering already).
>
>     2) Increase our bounties to make it worthwhile for somebody to take
>     the time to gain the specialization needed.
>
>     3) We could run live test nets with specific objectives (e.g.
>     authentication bypass, blockchain rewrite, denial of consensus, crash
>     a node, etc) that have specific bounties attached.
>
>     The third option specifically addresses your point about not having a
>     live install or fixed installer to target.  Regardless of what we do
>     in the future, we need to do something to grow the interest.  I know
>     that Brian has talked quite a bit about the need for test nets.  I'm
>     all for setting them up.  I'm exploring marketing and promotional
>     ideas with the staff with the intent of bringing a proposal to the
>     TSC.
>
>     Cheers!
>     Dave
>
>     ---
>     David Huseby
>     Security Maven, Hyperledger
>     The Linux Foundation
>     +1-206-234-2392
>     dhuseby@...
>     On Fri, Sep 7, 2018 at 11:16 AM Middleton, Dan <dan.middleton@...> wrote:
>     >
>     > Just to play devils advocate here..
>     > We haven't gotten a lot of material benefit from the bounty so far.
>     > In any bounty the incentives have to be proportionate to the illicit incentives.
>     > The HL frameworks may be different than other systems under bug bounties, i.e. there's not a live install or fixed installer to target.
>     >
>     > Is there something else that we can do with this funding that would better secure our frameworks?
>     >
>     > Thanks,
>     > Dan
>     >
>     > On 9/7/18, 12:54 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of dhuseby@...> wrote:
>     >
>     >     Hi Salman,
>     >
>     >     Thank you for the heads up.  I am aware of the tool. I mentioned it in
>     >     a recent RSA Webinar on blockchain security.  The chaincode pivot
>     >     attack was also identified by Nettitude when they did the security
>     >     audit of Fabric last October.
>     >
>     >     I have been having an email conversation with the authors of Tineola
>     >     and we have a phone meeting coming up to discus the future of the
>     >     project.
>     >
>     >     Cheers!
>     >     Dave
>     >     ---
>     >     David Huseby
>     >     Security Maven, Hyperledger
>     >     The Linux Foundation
>     >     +1-206-234-2392
>     >     dhuseby@...
>     >
>     >     On Fri, Sep 7, 2018 at 8:25 AM Salman A Baset <sabaset@...> wrote:
>     >     >
>     >     > Hi David,
>     >     >
>     >     > I agree with your suggested approach for option C.
>     >     >
>     >     > Also, I want to bring to attention the a security testing tool for Fabric that was presented in DEFCON this year. Among other issues, it points to the issue of a shell in chaincode container which is known and is preventable through various controls.
>     >     >
https://parsiya.net/blog/2018-08-23-committing-insurance-fraud-with-tineola/
>     >     >
https://github.com/tineola/tineola
>     >     >
>     >     > It will be useful to develop a Center for Internet Security (CIS) checklist for Fabric and other Hyperledger platforms to help guide developers and security professionals. Happy to start it, but looking for collaborators.
>     >     >
>     >     >
>     >     > Salman A. Baset, Ph.D.
>     >     > CTO Security, IBM Blockchain Solutions
>     >     > Email. sabaset@...
>     >     > Phone. 914.945.2062
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     > ----- Original message -----
>     >     > From: "David Huseby" <dhuseby@...>
>     >     > Sent by: tsc@...
>     >     > To: hyperledger-tsc <hyperledger-tsc@...>
>     >     > Cc:
>     >     > Subject: [Hyperledger TSC] Bug Bounty Update pt. Deux
>     >     > Date: Wed, Sep 5, 2018 5:10 PM
>     >     >
>     >     > As I mentioned in my update email last Friday, I have been negotiating
>     >     > with HackerOne to secure the lowest possible price for the limited PM
>     >     > support for our bounty program.  To remind you, we need to sign a new
>     >     > contract with HackerOne for next year and our options for support are:
>     >     >
>     >     >   A. Full PM and Triage support.
>     >     >   B. Limited PM support.
>     >     >   C. Email only support.
>     >     >
>     >     > I think we should go with options B or C.  I was negotiating for the
>     >     > best price on B, since C is free.  HackerOne quoted $10k for option B.
>     >     >
>     >     > My recommendation is:
>     >     >   1. We go with option C.
>     >     >   2. We put the money we save into the bounty pool and a marketing budget.
>     >     >   3. We bump up the bounty awards and/or do limited promotional awards.
>     >     >   4. We spend some money marketing our bounty program.
>     >     >
>     >     > Cheers!
>     >     > Dave
>     >     > ---
>     >     > David Huseby
>     >     > Security Maven, Hyperledger
>     >     > The Linux Foundation
>     >     > +1-206-234-2392
>     >     > dhuseby@...
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >
>     >
>     >
>     >
>     >
>     >
>
>    
>
>
>






Christopher Ferris
 

+2

On Mon, Sep 24, 2018 at 12:15 PM David Huseby <dhuseby@...> wrote:
Thanks Arnaud and Silas, I think dropping paid H1 support is our best
option.  We have a group of great engineers volunteering for the
security team that can easily cover the triage.

Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
dhuseby@...

On Mon, Sep 24, 2018 at 3:02 AM Silas Davis <silas@...> wrote:
>
> Based on David's and Chris' remarks on the value provided by the paid service than ditching it would also get my vote.
>
> On Tue, Sep 11, 2018 at 11:03 AM Arnaud Le Hors <lehors@...> wrote:
>>
>> Hi,
>> I'm also in favor of switching to only email support and redirect our resources towards setting up test nets. I think this is likely to be a more valuable investment.
>> Thanks.
>> --
>> Arnaud  Le Hors - Senior Technical Staff Member, Web & Blockchain Open Technologies - IBM
>>
>>
>>
>>
>> From:        "David Huseby" <dhuseby@...>
>> To:        hyperledger-tsc <hyperledger-tsc@...>
>> Date:        09/10/2018 07:58 PM
>> Subject:        Re: [Hyperledger TSC] Bug Bounty Update pt. Deux
>> Sent by:        tsc@...
>> ________________________________
>>
>>
>>
>> Thank you Dan for your feedback, does anybody else have any thoughts
>> on the future of our bug bounty program?  If we have the discussion
>> here on the mailing list then we can avoid taking up the precious TSC
>> call time.
>>
>> Dave
>> ---
>> David Huseby
>> Security Maven, Hyperledger
>> The Linux Foundation
>> +1-206-234-2392
>> dhuseby@...
>>
>> On Sat, Sep 8, 2018 at 8:25 AM Middleton, Dan <dan.middleton@...> wrote:
>> >
>> > Good thoughts, Dave.
>> > I like the idea of putting this bounty budget towards test nets and / or more 3rd party code reviews.
>> > We could return to a bounty program in, maybe a year, after the test nets etc. have had their effect.
>> >
>> > Thanks,
>> > Dan
>> >
>> > On 9/7/18, 4:11 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of dhuseby@...> wrote:
>> >
>> >     Hi Dan,
>> >
>> >     You make some good points and I agree with you.  We haven't received
>> >     the level of attention that I had hoped for.  From the survey that
>> >     HackerOne ran, the top two reasons for not looking at Fabric are
>> >     "specialization" and "uninteresting" meaning that blockchains are new
>> >     and our blockchain doesn't have enough market uptake to make breaking
>> >     it a novel and interesting exercise.
>> >
>> >     I think there are several ideas we can consider for growing the level
>> >     of interest:
>> >
>> >     1) Doing more marketing and running promotional bug hunts where we
>> >     temporarily bump up the bounty reward or offer a novel reward like an
>> >     all expenses paid trip to the HL Global Forum to present their
>> >     findings.  (Both of these ideas we're considering already).
>> >
>> >     2) Increase our bounties to make it worthwhile for somebody to take
>> >     the time to gain the specialization needed.
>> >
>> >     3) We could run live test nets with specific objectives (e.g.
>> >     authentication bypass, blockchain rewrite, denial of consensus, crash
>> >     a node, etc) that have specific bounties attached.
>> >
>> >     The third option specifically addresses your point about not having a
>> >     live install or fixed installer to target.  Regardless of what we do
>> >     in the future, we need to do something to grow the interest.  I know
>> >     that Brian has talked quite a bit about the need for test nets.  I'm
>> >     all for setting them up.  I'm exploring marketing and promotional
>> >     ideas with the staff with the intent of bringing a proposal to the
>> >     TSC.
>> >
>> >     Cheers!
>> >     Dave
>> >
>> >     ---
>> >     David Huseby
>> >     Security Maven, Hyperledger
>> >     The Linux Foundation
>> >     +1-206-234-2392
>> >     dhuseby@...
>> >     On Fri, Sep 7, 2018 at 11:16 AM Middleton, Dan <dan.middleton@...> wrote:
>> >     >
>> >     > Just to play devils advocate here..
>> >     > We haven't gotten a lot of material benefit from the bounty so far.
>> >     > In any bounty the incentives have to be proportionate to the illicit incentives.
>> >     > The HL frameworks may be different than other systems under bug bounties, i.e. there's not a live install or fixed installer to target.
>> >     >
>> >     > Is there something else that we can do with this funding that would better secure our frameworks?
>> >     >
>> >     > Thanks,
>> >     > Dan
>> >     >
>> >     > On 9/7/18, 12:54 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of dhuseby@...> wrote:
>> >     >
>> >     >     Hi Salman,
>> >     >
>> >     >     Thank you for the heads up.  I am aware of the tool. I mentioned it in
>> >     >     a recent RSA Webinar on blockchain security.  The chaincode pivot
>> >     >     attack was also identified by Nettitude when they did the security
>> >     >     audit of Fabric last October.
>> >     >
>> >     >     I have been having an email conversation with the authors of Tineola
>> >     >     and we have a phone meeting coming up to discus the future of the
>> >     >     project.
>> >     >
>> >     >     Cheers!
>> >     >     Dave
>> >     >     ---
>> >     >     David Huseby
>> >     >     Security Maven, Hyperledger
>> >     >     The Linux Foundation
>> >     >     +1-206-234-2392
>> >     >     dhuseby@...
>> >     >
>> >     >     On Fri, Sep 7, 2018 at 8:25 AM Salman A Baset <sabaset@...> wrote:
>> >     >     >
>> >     >     > Hi David,
>> >     >     >
>> >     >     > I agree with your suggested approach for option C.
>> >     >     >
>> >     >     > Also, I want to bring to attention the a security testing tool for Fabric that was presented in DEFCON this year. Among other issues, it points to the issue of a shell in chaincode container which is known and is preventable through various controls.
>> >     >     > https://parsiya.net/blog/2018-08-23-committing-insurance-fraud-with-tineola/
>> >     >     > https://github.com/tineola/tineola
>> >     >     >
>> >     >     > It will be useful to develop a Center for Internet Security (CIS) checklist for Fabric and other Hyperledger platforms to help guide developers and security professionals. Happy to start it, but looking for collaborators.
>> >     >     >
>> >     >     >
>> >     >     > Salman A. Baset, Ph.D.
>> >     >     > CTO Security, IBM Blockchain Solutions
>> >     >     > Email. sabaset@...
>> >     >     > Phone. 914.945.2062
>> >     >     >
>> >     >     >
>> >     >     >
>> >     >     >
>> >     >     >
>> >     >     >
>> >     >     > ----- Original message -----
>> >     >     > From: "David Huseby" <dhuseby@...>
>> >     >     > Sent by: tsc@...
>> >     >     > To: hyperledger-tsc <hyperledger-tsc@...>
>> >     >     > Cc:
>> >     >     > Subject: [Hyperledger TSC] Bug Bounty Update pt. Deux
>> >     >     > Date: Wed, Sep 5, 2018 5:10 PM
>> >     >     >
>> >     >     > As I mentioned in my update email last Friday, I have been negotiating
>> >     >     > with HackerOne to secure the lowest possible price for the limited PM
>> >     >     > support for our bounty program.  To remind you, we need to sign a new
>> >     >     > contract with HackerOne for next year and our options for support are:
>> >     >     >
>> >     >     >   A. Full PM and Triage support.
>> >     >     >   B. Limited PM support.
>> >     >     >   C. Email only support.
>> >     >     >
>> >     >     > I think we should go with options B or C.  I was negotiating for the
>> >     >     > best price on B, since C is free.  HackerOne quoted $10k for option B.
>> >     >     >
>> >     >     > My recommendation is:
>> >     >     >   1. We go with option C.
>> >     >     >   2. We put the money we save into the bounty pool and a marketing budget.
>> >     >     >   3. We bump up the bounty awards and/or do limited promotional awards.
>> >     >     >   4. We spend some money marketing our bounty program.
>> >     >     >
>> >     >     > Cheers!
>> >     >     > Dave
>> >     >     > ---
>> >     >     > David Huseby
>> >     >     > Security Maven, Hyperledger
>> >     >     > The Linux Foundation
>> >     >     > +1-206-234-2392
>> >     >     > dhuseby@...
>> >     >     >
>> >     >     >
>> >     >     >
>> >     >     >
>> >     >     >
>> >     >     >
>> >     >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >     >
>> >
>> >
>> >
>> >
>> >
>>
>>
>>
>>
>>
>>
>>
>>



Dave Huseby
 

Thank you for the feedback.

I would still like a short discussion on this topic during a TSC
meeting, if for no other reason than to take a quick vote on moving
forward using the H1 platform but without paid H1 support.

Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby

On Tue, Sep 25, 2018 at 8:52 AM Christopher Ferris
<chris.ferris@...> wrote:

+2

On Mon, Sep 24, 2018 at 12:15 PM David Huseby <@dhuseby> wrote:

Thanks Arnaud and Silas, I think dropping paid H1 support is our best
option. We have a group of great engineers volunteering for the
security team that can easily cover the triage.

Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby

On Mon, Sep 24, 2018 at 3:02 AM Silas Davis <silas@...> wrote:

Based on David's and Chris' remarks on the value provided by the paid service than ditching it would also get my vote.

On Tue, Sep 11, 2018 at 11:03 AM Arnaud Le Hors <lehors@...> wrote:

Hi,
I'm also in favor of switching to only email support and redirect our resources towards setting up test nets. I think this is likely to be a more valuable investment.
Thanks.
--
Arnaud Le Hors - Senior Technical Staff Member, Web & Blockchain Open Technologies - IBM




From: "David Huseby" <@dhuseby>
To: hyperledger-tsc <hyperledger-tsc@...>
Date: 09/10/2018 07:58 PM
Subject: Re: [Hyperledger TSC] Bug Bounty Update pt. Deux
Sent by: tsc@...
________________________________



Thank you Dan for your feedback, does anybody else have any thoughts
on the future of our bug bounty program? If we have the discussion
here on the mailing list then we can avoid taking up the precious TSC
call time.

Dave
---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby

On Sat, Sep 8, 2018 at 8:25 AM Middleton, Dan <dan.middleton@...> wrote:

Good thoughts, Dave.
I like the idea of putting this bounty budget towards test nets and / or more 3rd party code reviews.
We could return to a bounty program in, maybe a year, after the test nets etc. have had their effect.

Thanks,
Dan

On 9/7/18, 4:11 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of @dhuseby> wrote:

Hi Dan,

You make some good points and I agree with you. We haven't received
the level of attention that I had hoped for. From the survey that
HackerOne ran, the top two reasons for not looking at Fabric are
"specialization" and "uninteresting" meaning that blockchains are new
and our blockchain doesn't have enough market uptake to make breaking
it a novel and interesting exercise.

I think there are several ideas we can consider for growing the level
of interest:

1) Doing more marketing and running promotional bug hunts where we
temporarily bump up the bounty reward or offer a novel reward like an
all expenses paid trip to the HL Global Forum to present their
findings. (Both of these ideas we're considering already).

2) Increase our bounties to make it worthwhile for somebody to take
the time to gain the specialization needed.

3) We could run live test nets with specific objectives (e.g.
authentication bypass, blockchain rewrite, denial of consensus, crash
a node, etc) that have specific bounties attached.

The third option specifically addresses your point about not having a
live install or fixed installer to target. Regardless of what we do
in the future, we need to do something to grow the interest. I know
that Brian has talked quite a bit about the need for test nets. I'm
all for setting them up. I'm exploring marketing and promotional
ideas with the staff with the intent of bringing a proposal to the
TSC.

Cheers!
Dave

---
David Huseby
Security Maven, Hyperledger
The Linux Foundation
+1-206-234-2392
@dhuseby
On Fri, Sep 7, 2018 at 11:16 AM Middleton, Dan <dan.middleton@...> wrote:
>
> Just to play devils advocate here..
> We haven't gotten a lot of material benefit from the bounty so far.
> In any bounty the incentives have to be proportionate to the illicit incentives.
> The HL frameworks may be different than other systems under bug bounties, i.e. there's not a live install or fixed installer to target.
>
> Is there something else that we can do with this funding that would better secure our frameworks?
>
> Thanks,
> Dan
>
> On 9/7/18, 12:54 PM, "tsc@... on behalf of David Huseby" <tsc@... on behalf of @dhuseby> wrote:
>
> Hi Salman,
>
> Thank you for the heads up. I am aware of the tool. I mentioned it in
> a recent RSA Webinar on blockchain security. The chaincode pivot
> attack was also identified by Nettitude when they did the security
> audit of Fabric last October.
>
> I have been having an email conversation with the authors of Tineola
> and we have a phone meeting coming up to discus the future of the
> project.
>
> Cheers!
> Dave
> ---
> David Huseby
> Security Maven, Hyperledger
> The Linux Foundation
> +1-206-234-2392
> @dhuseby
>
> On Fri, Sep 7, 2018 at 8:25 AM Salman A Baset <sabaset@...> wrote:
> >
> > Hi David,
> >
> > I agree with your suggested approach for option C.
> >
> > Also, I want to bring to attention the a security testing tool for Fabric that was presented in DEFCON this year. Among other issues, it points to the issue of a shell in chaincode container which is known and is preventable through various controls.
> > https://parsiya.net/blog/2018-08-23-committing-insurance-fraud-with-tineola/
> > https://github.com/tineola/tineola
> >
> > It will be useful to develop a Center for Internet Security (CIS) checklist for Fabric and other Hyperledger platforms to help guide developers and security professionals. Happy to start it, but looking for collaborators.
> >
> >
> > Salman A. Baset, Ph.D.
> > CTO Security, IBM Blockchain Solutions
> > Email. sabaset@...
> > Phone. 914.945.2062
> >
> >
> >
> >
> >
> >
> > ----- Original message -----
> > From: "David Huseby" <@dhuseby>
> > Sent by: tsc@...
> > To: hyperledger-tsc <hyperledger-tsc@...>
> > Cc:
> > Subject: [Hyperledger TSC] Bug Bounty Update pt. Deux
> > Date: Wed, Sep 5, 2018 5:10 PM
> >
> > As I mentioned in my update email last Friday, I have been negotiating
> > with HackerOne to secure the lowest possible price for the limited PM
> > support for our bounty program. To remind you, we need to sign a new
> > contract with HackerOne for next year and our options for support are:
> >
> > A. Full PM and Triage support.
> > B. Limited PM support.
> > C. Email only support.
> >
> > I think we should go with options B or C. I was negotiating for the
> > best price on B, since C is free. HackerOne quoted $10k for option B.
> >
> > My recommendation is:
> > 1. We go with option C.
> > 2. We put the money we save into the bounty pool and a marketing budget.
> > 3. We bump up the bounty awards and/or do limited promotional awards.
> > 4. We spend some money marketing our bounty program.
> >
> > Cheers!
> > Dave
> > ---
> > David Huseby
> > Security Maven, Hyperledger
> > The Linux Foundation
> > +1-206-234-2392
> > @dhuseby
> >
> >
> >
> >
> >
> >
> >
>
>
>
>
>