Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

For Cycle 33 #1007

Closed
cbeams opened this issue Feb 20, 2022 · 14 comments
Closed

For Cycle 33 #1007

cbeams opened this issue Feb 20, 2022 · 14 comments
Assignees
@Emzy
Labels
parsed:valid https://bisq.wiki/Compensation#Ensure_your_request_is_valid team:admin https://bisq.wiki/Admin_Team team:ops https://bisq.wiki/Ops_Team was:accepted Indicates that a compensation request was accepted by DAO voting
Milestone
Cycle 33

Comments

@cbeams
Copy link
Contributor

cbeams commented Feb 20, 2022
edited
Loading

Summary

  • BSQ requested: 840
  • USD requested: 1050
  • BSQ rate: 1.25 USD per BSQ
  • Previous compensation request (if applicable): For Cycle 32 #992

Contributions delivered

Title Team USD Link Notes
DNS Admin admin* 25 bisq-network/roles#18 (comment)
Roles Maintainer admin* 25 bisq-network/roles#28 (comment)
Discover and disclose CVE-2021-39226 ops 1000 Filed on behalf of @ajay1706**

Contributions in progress

**Notes regarding CVE

@ajay1706 reached out to me via Twitter DM to report finding a vulnerability "in a bisq.network subdomain". This is what he wrote:

Description: I have found a critical security vulnerability in bisq.network subdomain where unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.
Steps to POC:

  • Go to https://monitor.bisq.network/api/snapshots/:key
  • You will have the access to the key of snapshots
  • Here I'm getting all the snapshots of your grafana dashboard easily without authentication
  • This considered as a high severity issue with the CVE assigned to it

I put @ajay1706 in touch with @Emzy. They sorted it out and resolved the vulnerability with a an upgrade of Grafana.

I told @ajay1706 that this is non-critical and mostly or currently entirely unused infrastructure for us and asked him to suggest an amount of compensation for his work. I told him that as a courtesy I would include this amount in my own compensation request for Cycle 33 since he has no experience with the Bisq DAO, had already done the work, and—most importantly—because we have no published responsible disclosure policy that lets security researchers know that any compensation for their work will be subject to Bisq DAO compensation. More on that last bit in a minute.

Here is the conversation between @ajay1706 (security_donut on Keybase) and @Emzy regarding amount requested for compensation:

security_donut
2:36 PM - Yesterday
$1000 for both of vulnerabilities would be least I can think of from my side
emzy
2:38 PM - Yesterday
For me it looks like a thing that some automated tool like ZAP or BURP would find and report. How much time you think you spend on it?
security_donut
2:41 PM - Yesterday
So its not about the time you spent on your report? Its about the complete recon. From findings subdomains to checking it manually to screenshoting it fuzzing it etc
So yeah it does take good amount of skillset and time. And yeah I have found it using burp fuzzing after checking manually all the subdomains and links effected to it
And not to forget once I found this next I did was…
Check this grafana domain with other cve’s too if they are vulnerable
emzy
2:43 PM - Yesterday
You did not know if the Monitor site was in scope. Just saying.
But I think your chance is high to get the $1000 from the DAO.

So: I am including this 1000 in my compensation request as a one-time favor, and, if is accepted, I will forward the 1,000 BSQ (less fees I pay) to @ajay1706 when I receive it.

I believe we should prominently publish a responsible disclosure notice that lets researchers know their work will be subject to normal DAO compensation so we don't run into something like this again.

In any case, thanks @ajay1706 and @Emzy for getting this patched up.
This was referenced Feb 20, 2022
Open
Open
@cbeams cbeams changed the title [WIP] For Cycle 33 For Cycle 33 Feb 20, 2022
@ghost ghost added parsed:valid https://bisq.wiki/Compensation#Ensure_your_request_is_valid team:admin https://bisq.wiki/Admin_Team team:ops https://bisq.wiki/Ops_Team labels Feb 20, 2022
@cbeams
Copy link
Contributor Author

cbeams commented Feb 20, 2022

@Emzy, I'll ask you to approve this compreq as ops lead since the main part is ops-related, thanks.

@MwithM MwithM added this to the Cycle 33 milestone Feb 20, 2022
@Emzy
Copy link

Emzy commented Feb 20, 2022

First of all thank you very much @ajay1706 for reporting the security issue. And doing a responsible disclosure.
This is very appreciated!

I have to add that it was my fault not updating Grafana on https://monitor.bisq.network/
My reasoning was that the Grafana graphs are broken and need fixing. So updating was counter productive in my mind.

The server has no impact on the operation of Bisq. There is no sensitive data at all on that server, all is shared openly.
Especially because Bisq has no responsible disclosure policy, this should be considered in the compensation amount.

If there would be a responsible disclosure policy, this server would be not considered a target.

Bisq should in general encourage responsible disclosures, but only for systems that are relevant and for the Bisq software itself.

I can't approve this for ops, because ops has no budget for responsible disclosures.

@ajay1706
Copy link

So You mean that who ever finds such vulns in your domain should do that for free? You only asked we will pay you according to the time you have worked on it and now you only not accepting it? I have worked my time on it ad don't want to do something for free here. I deserve a little bounty atleast

@ripcurlx
Copy link
Contributor

So You mean that who ever finds such vulns in your domain should do that for free? You only asked we will pay you according to the time you have worked on it and now you only not accepting it? I have worked my time on it ad don't want to do something for free here. I deserve a little bounty atleast

Hi @ajay1706 ! What @Emzy is saying is that his team has no budget for this kind of disclosures, not that you won't get compensated for your responsible disclosure. So it will be a bigger discussion here and I think we should put up asap a security policy for the website under bisq/SECURITY.md. Something like

Security Policy

Supported Versions

TODO: Point out which versions+ will receive updates. ATM v1.8.2+

Version Supported
v1.8.2+
< 1.8.1

Reporting a Vulnerability

TODO: Use this section to tell people how to report a vulnerability.

Tell them where to go, how often they can expect to get an update on a
reported vulnerability, what to expect if the vulnerability is accepted or
declined, etc.

Anyone up for drafting something for this?

@cbeams
Copy link
Contributor Author

cbeams commented Feb 22, 2022

Thanks, @Emzy. It's a good point that ops doesn't have budget for this per se. Nor does any other team, though, as this is sort of an undefined area.

I've gone ahead and submitted this compensation request to the DAO anyway, with txid 9d7d24ded9923a020e1cfc5affc152434384bd5a3f52aca4897ea0bb23bff034.

My argument would be that others should vote for it with the proviso that we publish something like @ripcurl suggests above that makes it clear that compensation for disclosures is subject to DAO voting like any other kind of compensation. I'm not sure about budgeting, but in this case it seems like it should be assigned to ops, since it was ops-managed infrastructure in question.

@MwithM
Copy link
Contributor

MwithM commented Feb 23, 2022

I consider that even with no budget assigned to it or team lead approving it as usual, this compensation request has been properly reviewed by various contributors and hence I leave the status of this issue as Proposal Submitted.

@chimp1984
Copy link

I think we should define more clearly what types of security vulnerability reports we consider justified for compensation and to which amounts. The potential damage by the security vulnerability could be one factor to consider as well if it touches the core functionalities (Bisq app, trading) or just the sourrounding infrastructure which mostly does not carry any real financial risk. Another factor is to be sure that the reporter has some track record of professional security research. Otherwise we invite people running scripts to detect known vulnerabilities which are often not much relevant for Bisq (no opinion about that report as I did not look closer into it, but the contributor seems not to be a professional security researcher from his Github profile).

@ajay1706
Copy link

ajay1706 commented Mar 1, 2022 via email
edited
Loading

@chimp1984
Copy link

chimp1984 commented Mar 1, 2022
edited
Loading

I’m a professional security researcher you can check my record on linkedin I don’t post much on github post my developer days. https://www.linkedin.com/in/ajay-sharma-33683a10b https://twitter.com/security_donut

Thanks for the additional links. I just looked into your GH account and there has not been indications to security research but the other links confirm your background.

@ajay1706
Copy link

ajay1706 commented Mar 2, 2022
edited
Loading

yeah I hardly use GH for my security thing.

@MwithM MwithM added the was:accepted Indicates that a compensation request was accepted by DAO voting label Mar 7, 2022
@ghost
Copy link

ghost commented Mar 7, 2022

Issuance by Team:

team amount BSQ amount USD
admin 40.00 50.00
ops 800.00 1000.00

Total Issuance: 840.00 BSQ (equivalent to: 1050.00 USD)

@MwithM
Copy link
Contributor

MwithM commented Mar 7, 2022

Closed as accepted.

@MwithM MwithM closed this as completed Mar 7, 2022
@cbeams
Copy link
Contributor Author

cbeams commented Mar 7, 2022

As planned, I'll transfer 800 BSQ (1000 USD / 1.25 BSQ-USD) to @ajay1706 later today and will post the tx id when I do.

@cbeams
Copy link
Contributor Author

cbeams commented Mar 7, 2022

800 BSQ have been transferred to @ajay1706 in tx 01978be2cf5ba092cf014f2745a453f037163f4193748fa857c33769aec29bdc. Thanks, @ajay1706.

@cbeams cbeams mentioned this issue Mar 29, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Emzy Emzy

Labels
parsed:valid https://bisq.wiki/Compensation#Ensure_your_request_is_valid team:admin https://bisq.wiki/Admin_Team team:ops https://bisq.wiki/Ops_Team was:accepted Indicates that a compensation request was accepted by DAO voting
Projects
Compensation Request Board
Archived in project
Milestone
Cycle 33
Development

No branches or pull requests
6 participants
@ripcurlx @cbeams @Emzy @ajay1706 @MwithM @chimp1984