Vulnerabilities / Threats

8/4/2017
01:15 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Dash Employs Bugcrowd to Hack Its Blockchain

Bugcrowd's professional white-hat hackers and cyber security experts join forces to detect Dash vulnerabilities.

New York, NY - August 3, 2017 - Dash, the top payments-focused digital currency, has received approval from the Dash community to employ the services of Bugcrowd, the leader in crowdsourced security testing. The partnership means thousands of security researchers will be incentivized to identify critical software vulnerabilities within Dash’s code and present them to the Dash Core Team for remediation. Commencing in August, Dash will employ a private bug bounty program through Bugcrowd, tapping into a curated, invite-only crowd to find Dash vulnerabilities, and then, in line with the rollout of Evolution, expand to a public program where over 60,000 registered security experts around the world will detect issues on behalf of Dash and be rewarded in bug bounty payments.

Jim Bursch, director of Dash Incubator and Bugcrowd’s proposal creator said, “Our goal is a safer, stronger network. We are talking about money -- the digital equivalent of cold, hard cash. Meaningful amounts of cash attract a powerful incentive for thieves on a global scale. The Dash project is like building a bank vault, and inviting elite bank robbers to participate in its design, so it can't be robbed by other criminals."

In the short history of cryptocurrencies, hacks have already marred the industry, and enterprise have felt the pain for well over a decade. Just last month, a hacker walked away with $7 million USD from investors participating in CoinDash’s ICO, in June last year over $50 million USD was stolen in The DAO (Ethereum) hack, and large companies like Bell Canada and Tesco Bank have recently been victims of information breaches and lost customer funds.

Dash Core CEO Ryan Taylor said, “As Dash gains more mainstream attention, identifying and fixing vulnerabilities is absolutely imperative. Bug bounty programs attract fresh eyes to review code which ensures white-hat hackers help identify any security flaws. Providing strong incentives to attract experienced programmers is one of the many tools we have at our disposal to ensure the Dash codebase is as robust as possible.”

Bugcrowd enlists over 60,000 security researchers to surface critical software vulnerabilities. In any given fortnight, Bugcrowd researchers typically find about five critical vulnerabilities, 70 unique vulnerabilities and 200 total vulnerabilities.

Bugcrowd CEO Casey Ellis said, “Currently, there is a massive shortage in cybersecurity professionals - pair this with an expanding attack surface and companies are at a major security disadvantage. We have amassed a solid resource of professional security researchers and years of experience managing highly complex programs. We are living in the era of digital transformation -- cryptocurrency is the next stage in this evolution. Given the globalization of the workforce, it stands to reason that the demand for cryptocurrency will grow.

When a security researcher finds a bug in Dash’s code, the Bugcrowd Technical Operations team will handle bug triage and validation. Bugs are assigned a ‘severity’ rating and remediation advice is provided to the Dash Core Team.

“Our landmark release, Evolution, aims to completely redefine how a digital currency functions and will be available for Alpha testing in December. Providing that optimal user experience requires a massive change to the underlying technology. The more improvements Dash adds to the original Bitcoin code, which Dash is based on, means we will continue to invest heavily in ensuring our product meets the highest standard possible. Because digital currencies store wealth and facilitate transfer of payments, it is critical that we take all measures possible to make absolutely sure that even minor software bugs are addressed,” Taylor said.

Ellis concluded, “Regardless of size, organizations that attempt a self-managed program quickly find the process overwhelming. Defining scope, identifying program security owners, establishing a vulnerability management program, and even determining time-to-fix agreements within that program -- all of these require time and resources both in the setup, and on an ongoing basis as the program evolves. By choosing Bugcrowd to manage their bug bounty, Dash has taken the work out of running a bug bounty program, so all they see are results.”

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.