PhIP-03: Formation of a Framework for Phonon Bug Bounty Program

Hello Phrens,

PhIP-03 is intended to be the start of a formal framework for bug bounties on the Phonon protocol and its associated projects (as defined by the DAO). This framework was pulled from GridPlus as a good starting point, per Karl, and I’ve modified it such that we will provide addendums to the program to further define the scope of the bounties available. At the same time we will also have a generalized bounty program that is not so limited in scope.

One reason I felt this was important is that hardware security is, at this time, what I would estimate to be our #1 criticism from the technical community. I want to be able to point to something, e.g. a large bounty that has never been claimed by anyone for hacking a Phonon Smart Card, as a way to publicly respond and reinforce our stance that the hardware we intend to use with the protocol is secure.

So, to the framework:

Introduction

User security is of paramount importance to Phonon DAO’s efforts. We encourage responsible disclosure of security vulnerabilities via our bug bounty program (“Bug Bounty Program”) described on this page.

The program directly serves our core mission because the security of the hardware used with Phonon is the foundation on which Phonon works.

The Phonon DAO Bug Bounty Program’s scope will start as this framework and, via addendums, grow to include specific bounty scopes.

A valid report is any in-scope report (defined specifically in addendums) that clearly demonstrates a software or hardware vulnerability that harms Phonon DAO or its userbase. A report must be a valid, in scope report in order to qualify for a bounty. Phonon DAO will determine in its sole discretion whether a report is eligible for a reward and the amount of the award.

Program Policies

Phonon DAO pledges not to initiate legal action for security research conducted pursuant to all Bug Bounty Program policies, including good faith, accidental violations. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and applicable anti-hacking laws such as Cal. Penal Code 502(c). We will not bring a DMCA claim against researchers for circumventing the technological measures we have used to protect the applications in scope of the Bug Bounty Program.

If legal action is initiated by a third party against you and you have complied with the Bug Bounty Program policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party is not bound by our pledge and may determine whether to pursue legal action. Phonon DAO cannot and does not authorize security research on other entities.

Please contact the Phonon DAO before engaging in conduct that may be inconsistent with or unaddressed by this policy. Your message should include a brief description of your intended conduct so that we may determine whether it is consistent with the Bug Bounty Program policy.

We believe it is critical to provide these assurances in order to allow security researchers to fully investigate potential security vulnerabilities. As such, we embrace the standardization of policy language that provides legal protection to security researchers as a part of the #legalbugbounty project.

Researcher Requirements

Complying with the Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure” which includes:

  1. Reporting vulnerabilities with no conditions, demands, or ransom threats.

  2. Providing Phonon DAO a reasonable amount of time to fix a vulnerability prior to sharing the details of the vulnerability with any other party.

  3. Not profiting from or allowing any other party to profit from a vulnerability outside of Bug Bounty Program payouts from Phonon DAO.

Phonon DAO considers Social Engineering attacks against DAO members to be a violation of Program Policies and will result in researchers being banned from the this Bug Bounty program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.

Report Evaluation & Reward

In order to be deemed valid, a report must demonstrate a hardware or software vulnerability in the Phonon protocol software or hardware that harms Phonon DAO or its userbase. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.

A report must be a valid, in scope report in order to qualify for a bounty. Phonon DAO awards bounties based on severity of the vulnerability. We determine severity based on two factors: Impact and Exploitability.

Impact describes the effects of successful exploitation upon Phonon systems or customers. We make this assessment primarily by examining the effects of exploitation on confidentiality, integrity, or availability of underlying information. Vulnerabilities that require considerable response and remediation efforts or could result in reputational damage are also considered to have greater impact. For example:

  • Critical Impact: Attackers can read or modify Sensitive Data in a system, execute arbitrary code on the system, or exfiltrate digital or fiat currency in some way.

  • Low Impact: Attackers can gain small amounts of unauthorized, low sensitivity information impacting a subset of users, or slightly impact accuracy and performance of a system. (Please note that Denial of Service bugs will be considered on a case-by-case basis. Denial of Service issues that don’t impact availability of funds or user data will not likely be accepted as a valid report.)

Exploitability describes the difficulty of actively exploiting the vulnerability itself. We make this assessment primarily based on the prerequisites for exploitation, including level of access required, availability of information critical for successful exploitation, and likelihood of alignment of required factors outside the attacker’s direct control such as social engineering requirements or timing requirements. For example:

  • Critical Exploitability: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control.

  • Low Exploitability: Exploitation is difficult due to several requirements, such as access limitations, complicated social engineering, guessing unknown values, or alignment of unpredictable race conditions.

Severity is determined as a combination of Impact and Exploitability. For example:

  • Critical Severity: a state of immediate, easily accessible threat of large-scale compromise or irreversible damage to Phonon DAO or its userbase.

  • Low Severity: a state of no immediate threat where an opportunity exists for an improvement that may mitigate a potential future vulnerability.

The decision to award a payment for the discovery of a valid security issue is at the sole discretion of Phonon DAO.

Researchers are also more likely to earn a larger reward for exceptionally clear and high-quality reports.

Some restrictions apply to bounty eligibility. The researcher must not:

  • Be a resident of, or make their vulnerability submission from, a country against which the United States has issued export sanctions or other trade restrictions.

  • Be employed by GridPlus, Inc. or its subsidiaries or affiliates, or be considered a member of the Phonon DAO (by discretion of the DAO’s ability to determine membership in the DAO).

  • Be an immediate family member of a person employed by GridPlus, Inc. or its subsidiaries or affiliates, or be considered a member of the Phonon DAO (by discretion of the DAO’s ability to determine membership in the DAO).

  • Be in violation of any national, state, or local law, or regulation.

  • Be less than 18 years of age. If you are under 18 years old, or considered a minor in your place of residence, you must get your parents’ or legal guardian’s permission prior to participating in the program.

Previous bounty amounts are not considered precedent for future bounty amounts. Software is constantly changing and therefore the given security impact of the exact same vulnerability at different times in the development timeline can have drastically different security impacts.

Report Closure

Phonon DAO reviews all findings that are reported via our Bug Bounty Program. Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Phonon DAO will request additional information from the reporter. After all information is aggregated; the report submission goes through an internal review and scoring process. After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.

It is up to the researcher to provide detailed information and supporting evidence to support all reports. Failure to provide a detailed report will result in delayed triage and/or ticket closure.

Scope

Scope will be further defined by addendum as the Phonon DAO develops and begins to deliver the product roadmap.

Out-of-scope Vulnerabilities:

  • Exploits on outdated software.

  • Vulnerabilities on sites hosted by third parties.

  • Denial of service attacks.

Legal Disclaimers

We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.

Poll

  • You AGREE: we should proceed with a bug bounty program that has specific bounties and generalized bounties, as stated in this post.
  • You DISAGREE: we should NOT proceed with a bug bounty program that has specific bounties and generalized bounties, as stated in this post.

0 voters

2 Likes

How would we do this? Aren’t all Phonon DAO token holders technically members of the DAO? Other than that, I think it looks good. I see a couple of minor typos, but we can iron those out before we publish.

Agreed that’s true. I don’t know why being a member of the DAO should technically matter but somehow we need to be able to determine if someone influenced the creation of a bug and then discovered their own bug, e.g. a new Dev the DAO brought on.

1 Like

This is great. Strong agree with the overall framework.

Agreed that being a member of the DAO should not necessarily prohibit someone from participating in the bug bounty. A better indicator would be being a contributor to a phonon code repository, which is somewhat more easily tracked and actually where the conflict of interest may arise.

I see the scope is to be further defined by addendum to this PhIP, but I’d like to express my opinion in advance that a generalized bug bounty would not be particularly helpful at this development stage of the codebase. Given that this is the alpha and there are many things we know will need to be changed, a generalized bounty is most likely just to turn up things we already know. A general bounty would likely be more applicable when the core software is at the beta and production stages.

However, there are parts of the codebase which should already have complete security guarantees, and putting out specific bounties to put those to the test would be very beneficial. For example, bountying the ability to pull the identity certificate private key off of a card would be good.

Maybe this could use a quick expansion of the section on the scope that this PhIP puts in place and the process by which the DAO will post and update the scope of the available bounties?

1 Like

Jesus, that wouldn’t be a bad actor that be a horrendous person without any sorta character or discernment. Regardless, I appreciate the fact that you brought that up and pointed it out.
Bit late; – though voted for.