[bisq-network/compensation] [WIP] For Cycle 33 (Issue #1007)

cbeams notifications at github.com
Sun Feb 20 15:09:56 CET 2022 

## Summary

- **BSQ requested**: 840
- USD requested: 1050
- BSQ rate: [1.25](https://github.com/bisq-network/compensation/issues/996) USD per BSQ
- Previous compensation request (if applicable): #992

## Contributions delivered

| Title | Team | USD | Link | Notes |
| --- | --- | --- | --- | --- |
| DNS Admin | admin* | 25 |  TODO | 
| Roles Maintainer | admin* | 25 | TODO | 
| Discover and disclose CVE-2021-39226 | ops | 1000 | | Filed on behalf of @ajay1706** 

## Contributions in progress

- bisq-network/bisq#5835
- bisq-network/bisq#5837

## **Notes regarding CVE

@ajay1706 reached out to me via Twitter DM to report finding a vulnerability "in a bisq.network subdomain". This is what he wrote: 

> Description: I have found a critical security vulnerability in bisq.network subdomain where unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.
> Steps to POC:
> - Go to https://monitor.bisq.network/api/snapshots/:key
> - You will have the access to the key of snapshots
> - Here I'm getting all the snapshots of your grafana dashboard easily without authentication
> - This considered as a high severity issue with the CVE assigned to it

I put @ajay1706 in touch with @emzy. They sorted it out and resolved the vulnerability with a an upgrade of Grafana.

I told @ajay1706 that this is non-critical and mostly or currently entirely unused infrastructure for us and asked him to suggest an amount of compensation for his work. I told him that as a courtesy I would include this amount in my own compensation request for Cycle 33 since he has no experience with the Bisq DAO, had already done the work, and—most importantly—because we have no published responsible disclosure policy that lets security researchers know that any compensation for their work will be subject to Bisq DAO compensation. More on that last bit in a minute.

Here is the conversation between @ajay1706 (`security_donut` on Keybase) and @emzy regarding amount requested for compensation:

> security_donut
> 2:36 PM - Yesterday
> $1000 for both of vulnerabilities would be least I can think of from my side
> emzy
> 2:38 PM - Yesterday
> For me it looks like a thing that some automated tool like ZAP or BURP would find and report. How much time you think you spend on it?
> security_donut
> 2:41 PM - Yesterday
> So its not about the time you spent on your report? Its about the complete recon. From findings subdomains to checking it manually to screenshoting it fuzzing it etc
> So yeah it does take good amount of skillset and time. And yeah I have found it using burp fuzzing after checking manually all the subdomains and links effected to it
> And not to forget once I found this next I did was…
> Check this grafana domain with other cve’s too if they are vulnerable
> emzy
> 2:43 PM - Yesterday
> You did not know if the Monitor site was in scope. Just saying.
> But I think your chance is high to get the $1000 from the DAO.

So: I am including this 1000 in my compensation request as a one-time favor, and, if is accepted, I will forward the 1,000 BSQ (less fees I pay) to @ajay1706 when I receive it.

I believe we should prominently publish a responsible disclosure notice that lets researchers know their work will be subject to normal DAO compensation so we don't run into something like this again.

In any case, thanks @ajay1706 and @emzy for getting this patched up.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/compensation/issues/1007
You are receiving this because you are subscribed to this thread.

Message ID: <bisq-network/compensation/issues/1007 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20220220/eb9a8efc/attachment.htm>

More information about the bisq-github mailing list