Author:
Ryan Sears [email protected]
Created:
01/24/2022
Status:
DRAFT
Summary
A security researcher reached out about a remote code execution vulnerability in the Kolibri forum (discuss.kolibri.finance, this very forum) due to an outdated Discourse server. Their findings were legitimate and they disclosed the vulnerability responsibly, so I think while we work to get a formal bug bounty program in place that we should pay this researcher for acting in good faith.
The full report can be found in this gist (originally shared via Discord).
I’m not sure the amount, it’ll be determined by a signal request.
Motivation
Bug bounties are a critical part of a healthy protocol, and it’s not just smart contracts that need attention. Issues with the Kolibri infrastructure could pose issues for availability or even worse be leveraged to attempt to steal user funds.
Details
On 01/21/22, a discord user reached out to the #smart-contract-development to inquire if there was a bug bounty program for Kolibri. It’s been discussed a few times but there’s nothing formally established yet, and I informed them as such.
They then shared details of a security vulnerability (remote code execution) against this very forum software (Discourse) that was unpatched. The good thing is that the forum runs on its own instance in a docker container, so potential damage was very limited, but it was a good finding regardless since it could lead to a loss of privacy for users or some sort of defacement activities.
The full report can be found in this gist (originally shared via Discord).
Due to the high quality of the report, and the responsible disclosure of a significant vulnerability, I think that the DAO should pay the user a bug bounty for their disclosure.
The amount is currently TBD, and I will be putting in a signal request to try to determine the appropriate bug bounty amount.