A few days ago I stumbled upon a bug report from @whd where they had found a cross-site scripting vulnerability in SteemDB (see Responsible disclosure SteemDB - Security is hard, that's why you have to escape OUTPUT data! - XSS injection). This got me thinking about how vulnerabilities would be disclosed here on Utopian. As a Cyber Security professional during the day, I come across vulnerabilities all too often. I am actually paid to find security holes in corporate networks. So when a security vulnerability is disclosed it helps the community as a whole by making it more secure. Security vulnerabilities are inevitable; no programmer is perfect and they will make mistakes. That's why things like code reviews and code scanners exist because programmers will make mistakes.

What is Responsible Disclosure?

TL;DR Don't disclose a vulnerability publicly without letting the developers know first!

While I love it when others find security vulnerabilities and holes in software the disclosure of the vulnerability needs to be done in a responsible manner. That's where Responsible Disclosure comes in. While there is no official definition and the topic of responsible disclosure is a heated topic in the cybersecurity community, the most basic definition is to give the developers time to fix the vulnerability before going public with it. So why do that? Well, for one, if it is a particularly nasty vulnerability in a software that is used by a lot of people you don't want to advertise to those hackers who's morals are a little shaky that there is a massive hole somewhere they could exploit and profit from. Take for example Wordpress. If you were to find a hole in WordPress that disclosed the administrator's password, as someone in the community you would want to notify the developers first before letting the world know the hole exists. If you didn't then there might be mass panic and a lot of people would be victims of the vulnerability before the developers can fix it.

Now there are some caveats to this. The first is that many developers will disagree with your findings because they don't want to admit they made a mistake. I think this is less prevalent in the opensource community as most of these developers are looking for all the help they can get. But I have seen it in my day job, working with corporate developers. I've had many an argument with a developer over how the vulnerability I discovered is just a "feature".

The other issue I've seen is that some companies out there will make you sign a non-disclosure form preventing you from telling anyone about it. Once you sign this form, they consider themselves safe and don't fix the issue. Now again, I don't see this happening much in the opensource community because you are less likely to come across a company backing opensource than you are to find just a bunch of developers who are doing this in their spare time. Of course, with Utopian, I can see some people creating businesses out of writing open source software too, so that may change.

So what can Utopian Do?

Well, I'm not sure I have a perfect solution. I would like to suggest a few changes to the platform to encourage responsible disclosure first. The first change I'd like to suggest is either a change to the bug hunting rules or the creation of a new category of contribution named "Vulnerability Report". If I had my say in the matter I'd like to see a new category created name "Vulnerability Report". My suggestions for rules are as follows:

• Provide as much detail as possible to reproduce the vulnerability
• Provide an analysis of what a bad guy could do with this vulnerability that would affect the users of the software
• Provide proof that you disclosed this to the development team at least 1 week ago giving them time to fix it (a screenshot of an email or an issue number on the GitHub page will do)
• Providing CVE number for the vulnerability will increase your reward (I'd like to see this one, but it's optional)

This will ensure that people understand that they need to contact the development team before releasing the vulnerability on Utopian. The moderators could judge the disclosure and provide a higher vote from the Utopian bot for those that do it right and a lower vote for those that tried and just didn't disclose it properly.

At the minimum, I'd like to see the "provide proof that you disclosed this to the development team" rule added to the Bug Hunting category to show people that they need to take the time to let the development team know and give them time to fix the issue.

So I'm no graphic artist, I literally just did this using the preview app on my Mac. But I think having some sort of hat as the icon would be cool. It's kind of a tip to white hat hackers. I'd like to give credit to the Hat Vector to The Noun Project who released it under the Creative Commons License.

Utopian as an opensource Bug Bounty Program

So the other suggestion I had was to enable Utopian as a Bug Bounty program for opensource projects. It already is for the most part, but the way bug bounty programs work for vulnerabilities is that there needs to be a secure portal for a vulnerability researcher to send encrypted or secure messages to the development team. One way Utopian could help with this is by using the sponsored projects feature announced here. The way I understand it when a project sponsor applies to activate the project sponsorship feature the Utopian moderators create a new Steem account for that project. If this is the case then that steem account has a memo private and public key. This would allow for encrypted messages to be sent back and forth between the vulnerability researcher and the git hub developers who are authorized to use that account for upvoting.

As an example, say I find a vulnerability in the eSteem App. I would go to Utopian and click on contribution and choose Vulnerability Report. Once I put in the GitHub page for eSteem, Utopian could provide me with a popup saying "Would you like to securely communicate with the developers?". If I choose yes, then I could write out a short report notifying the developers that I've found a vulnerability. The Utopian application would then encrypt that message with the memo public key for the @esteem.utp account. Since the Utopian platform is in control of the @esteem.utp account they could use the private key to decrypt the message to the users who are authorized to upvote using that account. Providing a secure means of initial disclosure to the project developers.

Now I know my second suggestion requires much more development work and engineering. I'm no developer so I have no idea about how to get at this, but I'd love to hear what others think in the comments section. Am I way off base or can this be done?