This blog originally appeared on ARK’s Medium blog and is authored by Kristjan Košič.
After running our private Bugcrowd security bounty program for testing purposes, we are finally ready to open the program to everyone.
Opening up the Bugcrowd program to the public has the potential to put over 100,000 eyes on the ARK core codebase. Making our already running GitHub bounty program even stronger.
The Bugcrowd platform has proven itself time and again with helping companies such as Netflix, Binance, Netgear, Motorola, Digital Ocean, Tesla and many more.
During the private testing phase of the bounty program, four security vulnerabilities were reported. Two of them were related to our old deprecated v1 API and two of them reported possible Denial of Service attacks via the following endpoints:
https://IP:PORT/api/v2/delegates/REPLACE_HERE/blocks?page=250&limit=1
https://IP:PORT/api/v2/wallets/top?page=0&limit=REPLACE_HERE
In both cases the limit parameter could be overridden causing the server side to do additional work, thus introducing a possible Application Denial of Service Attack. Both endpoints were closed and fixed during the v2.0.x upgrades.
How To Get Involved?
ARK’s public Bugcrowd program information is available at
We invite all security researchers and penetration testers to check our Security Vulnerabilities repository, where you can learn about recent issues and use it as a starting point to grab some ideas and come up with new testing strategies.
In order to start testing you can read up on our Core and use our Development Network, which as the name suggests is a testing and development ground to play on.
Some of the important links you can check:
- Understanding transaction life-cycle from client to blockchain
- How does Core work and its mechanics
- API Documentation
- SDK’s to interact with ARK
- Setting up your own relay node
- Setting up ARK Core with Docker (additional blog post)
- How to deploy your own ARK-based network with Deployer
- Development Network Explorer
- List of known and patched security vulnerabilities
If you would like to get Development Network ARK tokens (DARK) for any testing, please join our Slack and request them in the #devnet channel.
How it Works
A security researcher discovers and submits a finding to Bugcrowd. The submission is reviewed, tested, reproduced and once validated, is quickly relayed to the ARK Team. In turn, we review/test the vulnerability and patch the finding (if applicable).
Findings that may be critical are pushed to our team in under 24 hours. We can directly converse with the researchers to get or request additional information, including access to all conversations between the security researchers and Bugcrowd. As a result, critical bugs get fixed and patched much sooner than less severe ones.
Vulnerability Rating Taxonomy
ARK is using Bugcrowd’s VRT, a resource that outlines Bugcrowd’s baseline priority rating. Included are certain edge cases for vulnerabilities that are frequently seen. To arrive at a rating, Bugcrowd’s security engineers start with generally accepted industry impact standards and further consider the average acceptance rate, average priority, and commonly requested program-specific exclusions (based on business use cases) across all of Bugcrowd’s programs.
Bugcrowd’s VRT is an invaluable resource for bug hunters as it outlines the types of issues that are normally seen and accepted by bug bounty programs. We hope that being transparent about the typical priority level for various bug types will help program participants save valuable time and effort in their quest to make bounty targets more secure. The VRT can also help researchers identify which types of high-value bugs they have overlooked, and when to provide exploitation information (POC info) in a report where it might impact priority.
Why Crowd Sourced Security?
There is sometimes a disconnect between the motivations of network attackers, and those of developers and security defenders. Crowd sourced security helps alleviate this imbalance by harnessing white hat security researchers to find and eliminate vulnerabilities, providing rapid and focused results. The most critical attack surfaces are examined including web and API interfaces on server/cloud, mobile and IoT platforms. The security researchers are trusted and highly vetted, diffusing the concerns of risk associated with crowd sourced security.
While the ARK team and the community know the blueprint of their ship quite well, it is often the eyes of outside examiners who can provide a fresh perspective from a different angle.
The massive increase in efficiency of crowd sourced pen-testing will allow ARK to reach a wider group of individuals with a vast interest in cyber security. In some cases, it takes far less time than if we solely rely on our internal development team or community at large. Ultimately, it is our highest priority to provide the most secure platform possible to all users of ARK and we hope putting our code in front of thousands of testers will assist us in providing this.