login
BUIP026: Bounties for Software Exploits
Proposer: Tim Potter (sponsored by Andrew Clifford)
Submitted on: 2017-03-29
Status: passed

Background

Bitcoin Unlimited must produce exceptionally reliable code.

The goal of this proposal is to fund a bounty purse that mimics both the
corrective mechanisms and also the high reliability of DNA synthesis by
incentivizing the entire community of open source code contributors to
search for nuggets.

An example of high precision high reliability code in nature is DNA. The
overall error rate is 10^-10 errors per base pair. The error rate of DNA
synthesis is 10^-8, but this error rate is corrected with multiple
corrective mechanisms that eventually bring the error rate down to
10^-10.

Solution

This BUIP proposes an additional tier of code review that is beyond what
any development team could reasonably accomplish on its own by adding a
simple cash reward mechanism as a highly efficient method of detecting
any remaining bugs.

Reward payments are effectively bounties in this context.

A there are two levels of reward available to software developers
everywhere:

Exploits

Identification of an exploit which can remotely bring down a node will
earn a reward payment in BTC

  1. the fault details are emailed to security@bitcoinunlimited.info
  2. the fault is shown to be effective by the BU dev team.
  3. the fault is fixed and a public release is available before the
    exploit is used on main-net.

At any point after software is merged into the principal branches this
becomes active:

The reward for a fault in the release version is $2000, equivalent in
BTC, regardless of how long the fault has been present. The reward for a
fault in the dev version is $3000, equivalent in BTC, provided the fault
has been in the dev version for 60 days. The reward values will be
subject to periodic review.

General bugs

Any general faults and bugs in the current release version can be
notified to the Bitcoin Unlimited lead Developer who will make an
assessment about the seriousness and can propose a cash payment of up to
$1000. This is subject to discussion and approval of other BU officers,
however, the recommendation of the Developer will normally be accepted.

Wider audience

Hackerone. A reward for exploits to be advertised there on a similar
basis as above.

Total Pool

Total bounty pool is $20,000 after which it will be necessary to return
to the membership with a BUIP to top-up the funds.

Any additional feedback is appreciated.