Polkadot Summit 24' - Community Bug Bounty

Community Bug Bounty

Hi all, please see below a write up from one of the Polkadot Summit sessions that was held in Bangkok in 2024.
You can use the polkadot-summit tag to see all the other posts, and navigate to the summary post for a recap of the event.

11th March 2024 / POLKADOT SUMMIT ASIA

Host: Giovanny Gongora & Serhan Bahar
Element: @gioyik:parity.io | @serhan:parity.io
EmaiL gio@parity.io | serhan@parity.io

Summary of session

The session covered the Community Bug Bounty program for the Polkadot <> Kusama Bridge, presented by Giovanny Gongora and Serhan Bahar from Parity Technologies. The program is designed to encourage hackers and researchers to report vulnerabilities rather than exploit them, aiming to create a culture of security awareness and demonstrate maturity in handling external interactions seeking vulnerabilities. Get involved - contact them!

Notes & key questions asked

  • Why a Bug Bounty? It is inevitable for development teams to face bug bounty reports or threats. The program incentivizes ethical reporting to enhance security and reduce unexpected incidents.

  • Bridges Bug Bounty Rationale: Given the nature of bridges as intermediaries facilitating asset transfers between blockchains, they present lucrative targets for attacks. The high volume of high-value transactions necessitates robust security measures.

  • Scope: The bug bounty program focuses on the common bridges infrastructure and XCM and BridgesHub, with repositories listed for potential contributors to review.

  • Clearly defining and improving the Threat Model is key: Identifies the high-risk category for bridge security, with a comprehensive analysis indicating six key categories of IT Security risks at a maximum level of High risk.

  • Severity Classification: Details the reward structure, with up to $100,000 for critical vulnerabilities down to $1,000 for low-severity issues, covering various potential threats like governance compromise, loss of user assets, and unauthorized actions.

  • Disclosure Policy: Specifies a remediation period and a schedule for bug disclosure post-fix audit and release, emphasizing the need for completed fixes before public disclosure.

  • Experience So Far: Highlights the community’s value on credibility and effectiveness, the debate over funds allocation, and the importance of public threat models for transparent severity assessment.

Key takeaways & next steps

  • Community Bug Bounty Benefits: The program aims to secure the network for all, rather than individual teams, making security accessible to everyone in the ecosystem.

  • Leveraging Community Collaboration: Encourages leveraging individuals with security skills across the ecosystem for triaging bug bounty submissions, aiming for cost and funds efficiency improvements.

  • Call for Collaboration: The presentation ends with a call for individuals with security experience, governance supporters, and curators to contribute to the program’s effectiveness and transparency.

  • Next Steps: For individuals interested in contributing to the security of the Polkadot <> Kusama Bridge, the session encourages engagement through triage, program maintenance, and governance support. The emphasis is on community collaboration for enhancing security and ensuring the program’s success eg.:

    • Can we create pools of developer skills that can contribute to the threat models of bridges?
    • Can we create dynamic price allocation model for bug bounties (bear market vs bull markets) the rewards fluctuate too much and it can leave the chain vulnerable