Bug bounty program and how to report security issues


#1

I couldn’t find how to report 0days in a safe way. Could you please provide some e-mail and PGP public key?

Also, does the Cardano Foundation or IOHK have a bug bounty program?

Thank you!


#2

Is this related to Daedalus? You can try creating an issue in their GitHub repository: https://github.com/input-output-hk/daedalus/issues

When Ouroboros is up and people can nominate and vote on how to use the treasury, I would like to see allocation for 3rd party security testing and bug bounty program.


#3

GitHub is not the proper channel to report a vulnerability as anyone could read it.


#4

Formal pre-release testing now or you’ll never see this “treasury” vision. Warm and fuzzy that everyone wants to “play a role” in the development of Cardano.

There isn’t the time available.

From this point-in-time forward every release has to function correctly and deliver the intended functionality. Cardano can not afford these interruptions:

FYI: Binance withdrawals

Interacting flawlessly with the exchanges and other purchase methods is essential. Remember, this is the source of any potential treasury funding.


#5

More than one week have passed since I made this simple yet important question, and still no responses from IOHK or the Cardano Foundation. This is a red flag for me.


#6

I’ve already criticized them right here for lacking on their ‘customer’ service. Not sure if they’re doing anything about it yet. Many questions go unanswered and expecting folk to just RTFM, quite honestly, isn’t going to cut it. And if the answer is indeed RTFM, then a CF or IOHK person could do quick responses with pointers to the answers.

They want to build a community. Well, community doesn’t get built by ignoring anyone. @cf_tom.kelly @cf_jonmoss


#7

Hi @MartinMKD - we try not to ignore people… it’s a big and rapidly growing community! :smiley:

Thanks for the heads up with this - we sometimes do miss things if not included with an @ - it is much appreciated.

Hello @peramides - sorry for missing your post - sending you a DM now…


#8

Thanks again for your response Jon.


#9

It would be nice if questions are answered on the forum and not through DM. It seems that peramides has his question answered but we are still in the dark…


#10

@zmeel there is no official bug bounty program at the moment, but to report any security issue it seems that right now the best way is just to contact someone at IOHK dev team directly: in the project page, there is a team tab, then if you check someones profile (by clicking its name) you will find an email address and a fingerprint at the bottom of the page. PGP public keys are in the MIT key server.


#11

I also have the same impression that more and more devs from the community come up with brilliant ideas on how to help Cardano structuring and organising itself in order to get things done quickly and in an efficient manner, but they don’t know who to contact apart from Jon and Tom.

In this case, a simple technical guideline with a dedicated email address, or an in-house developer’s contact who could coordinates these things would be nice. @cf_jonmoss


#12

Hi @zmeel we are looking at the best way of reporting issues at present and will post publicly. There is no bounty program at present.