Tardigrade speed, bugs and bug bounty program

Hi @jocelyn

Here is the first bug that posted on GitHub.

This bug impacting all storage nodes that were created before 2020 (have old Stefan satellite data)

  1. Impacting storage space on all nodes.
  2. Impacting payouts.
1 Like

I think it would be a good idea to respond to the request. For example like this "Hi, we got your report. After reviewing, we will let you know more information"or something else, just to indicate the fact of receipt.

2 Likes

adding this to my to-do list!

1 Like

Hi @jocelyn

Here is the next bug that I posted on GitHub :slight_smile:

2 Likes

Thanks for no reaction :+1:t2:
Easy way to legal DoS will be published soon for public access.

Seems like bug bounty program is not working…

1 Like

Hey friends!

So, I went through and read a bunch of previous forum posts about the bug bounty program. It’s clear we’re planning one! We have posted a form and details, and in advance of a formal document describing the bug bounty program, I believe we’ve even paid a couple of people rewards here and there, where we could. I’m excited by the enthusiasm for a bug bounty program! Thanks @anon68609175 and @Odmin especially!

That said, we have not finalized the bug bounty program rules. Because of that, we’re not yet officially running one, and one is not ready.

So, @anon68609175, a great way to be forever disqualified from any bug bounty program is irresponsible disclosure. If you’ve posted your vulnerability to Jocelyn’s new form, please sit tight and I want to thank you for your patience! Because we have not finalized our terms for the bug bounty, I don’t yet know what we will agree to in regards to response time. I get it! It sucks having to wait without a clear deadline! It will probably be a while considering we don’t have a formal process internally yet for bug bounty responses, considering we are not yet running a formal bug bounty program. We are happy to try our best and respond to people and even hand out awards where we can when we can (we have)!

We don’t respond well to threats though. You can choose to share the vulnerability without going through the process, but you will definitely not receive any bounty if you do! Up to you.

Let me know what you decide to do, and assuming you’re the person who already submitted responses to the Google Form linked earlier in this thread, thank you for your submissions so far, and thank you for your continued patience.

4 Likes

Thanks @jtolio !

Let’s me share my point of view about the current process, I think the root cause of any issues of this thread - a lack of information and very long pauses without any feedback.
So I would like to pay your attention to this communication gap because of a very long time stay on the silence produce a lot of misunderstanding.

3 Likes

Each token report includes a line about bug bounty program (line 11). Also we do not get any response that. By the way, support works in the same way, I can’t delete files and have to pay for them since the software works poorly. Support instead of raising the limits and letting me delete the files myself is multithreaded and simply ignores a reasonable (1-8h) time to resolve the problem 5692.

2 Likes

Thanks for the response @jtolio

I would agree, but part of responsible disclosure is also that if a company doesn’t respond after a certain time, findings are published. The industry seems to be moving towards 90 days being the standard period for this. Bug bounty program or not, no party can just expect people will sit on information forever after responsible disclosure has taken place. And I would say publication of findings after such a period should not disqualify this person from participating in the bug bounty program with new bugs. Though the bug that has been publicly published obviously would no longer be applicable for a reward.

7 Likes

Here is a good example of response time for various bug bounty programs.

1 Like

Dealing with a new bug bounty program, requires defining scope - what is eligible along with severity usually tied to NVD rating.

For instance, as a SNO I care about any inbound port vulnerability (TCP 27689. etc) which could cause my machine to be compromised. And I care about getting paid and not having someone misuse my (token) identity on the satellites and redirect payments. On the other hand vulnerabilities in the forum platform, while annoying. should cause no real harm.

Likewise, Storj needs to protect the integrity of the Storj coin to keep the business viable. as well as the integrity of code it publishes. I can’t speak to Tardigrade, but as the source of customers they need to be protected especially their files they upload or download as well as any code they install or use that handles files or payments.

Are there any news about official bug bounty program? Recently, there has been only silence on questions. It is very similar to the project being dead.

have to agree with GrolaG here…

might be better to just get the bugs bunny program up and running with more limited rewards and full confidentiality on all bugs reported, or something in that regard… so it could start producing some results, and developing into a workable system…

i doubt you guys can plan how stuff like this will end up working anyways… its going to have to develop over time… no plan survives contact with the enemy

3 Likes

:joy: :joy: :joy: :joy: :joy: :joy: :joy: :joy: :joy: :joy:

2 Likes

How bug bounty program working at this moment :laughing:

4 Likes

What your bunny wrote :slight_smile:
( читать с русским акцентом)

3 Likes

If you would like to report bugs that you want to get a bounty for because it would be something that is dangerous to our network, you can send an email to: security-reports@storj.io

Please note that this is NOT the place to report regular bugs which don’t present a danger to our network failing, or to our website getting hacked etc. Please direct those types of bugs to github or the forum.

You can report regular small bugs on the forum - this is happening already. Surfacing these issues brought up on the forum is a process that is going on in the background without most of the users noticing. Staff members and the L2 support devs are constantly reading the forum and making issues for devs to work on, such for example what is going on right now with the GE issues. They are definitely an inconvenience for the SNOs, but not a security vulnerability or worth a bounty. We make things right for those affected by manually making the necessary adjustments so they can finish their GE and get their held amounts, while devs are working on the actual fix

1 Like

Hi @Dylan

I think everyone knows, how-to reports bugs and how to use a special google form for it that created by @jocelyn

But the question was a little bit different:

I think it was base on:

So, do you have any news about running a formal bug bounty program?

2 Likes

Storj, not matrix :rofl:

So we have no classification, price table and etc.
Actually, since I was not answered for an extremely looooooooooong wait, network degradation, over-billing, impossibility of deletion within a reasonable time, useless support(cant solve easy problem with limits) is not a problem.
Thanks for answer!