Hi, please see inline comments.
Security researchers don't need to continuously read the code one time after the other.
Personally I read the code once or twice, and I "smell" problems.
Afterwards, only the new code of new releases has to be audited.
I understand that. I do the same but with the assembler.
I was more saying that I would like to see someone get a bounty for reviewing the code even if they dont find anything because there might not be anything to find. I think that is a fairer method of compensation. I think that would allow us to get some confidence in the code.
I disagree with it only being the new code that needs auditing, what happens if the new bit of code doesnt know about some back end rules but and thinks there should be a different outcome? there is so many intergration issues and potential to open a new or reintroduce a bug in a completely unrelated bit of code.
Well, Bitcoin developers seems to be very talented, as there were so few security vulnerabilities.
I cannot rate myself.
I was in no way saying or implying that yourself or the bitcoin developers lacked talent, I apologise if that is what you took from my statement from the posts I have seen you make I have nothing but respect for you, it is obvious you have a talent and passion for security.
What I was trying to say was the bitcoin developers are already doing this for love, so they will report bugs even if there is no reward, the idea behind a bug bounty is to attract in new talent, talent that might not care about bitcoin but does care about money.
This is the same logic as I use to workout what programs to look for vulns in - i could care a lot less about office, however it pays me well to find vulns there.
Nevertheless there are at least three documented vulnerabilities: see
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures.
And one undocumented (silently patched) vulnerability.
CVE-2011-4447 wxBitcoin and bitcoind Wallet (non-)encryption -> Not categorized (not remotely explotable)
CVE-2012-1909 Bitcoin protocol Transaction overwriting -> Not categorized (requires a lot of hasing power)
CVE-2012-1910 Bitcoin-Qt for Windows MingW non-multithreading -> TYPE 1
The undocumented vulnerability is of type 3.
I was not saying DoS is not a valid attack vector, I was trying to say that I believe that if a half decent bounty is offered for DoS bugs there will be so many supurious bug reports by well meaning but mistaken people that most of testing would actually be customer service/tech support, I have seen this happen at a workplace before.
i would like to clearly state that if anyone reports a significant bug in bitcoin or the protocol they should be rewarded if that reward exists. I do not however feel that this reward should be priorotised above or below the rewards of the person who reviews the code and does not find a bug. This is a very tricky subject.
to sum up, I like the idea, but i am not sure what is to be gained and where it would be gained. I think a better use of resources might be to give bounties for reports of code reviews, etc rather than bug. I dont know though.
I am glad you are also thinking how we can get more talent in, and how to reward the people that already do the work. just out of interest, what would your bounty rewards roughly be for type 1, 2 and 3 bugs? I do not think we would be able to compete with the likes of zdi, idefense or pentest companie securiteam, ngs, etc. (all of them will be $500k+)
I am still really undecided on this topic.
cheers,
steve
