The vulnerability is mining: How does DVP make the blockchain more secure? | Chain Node AMA

Since the birth of the Internet, security has always been a vital part. Although the conventional security system derived has alleviated some security risks to a certain extent, it also exposed some problems: such as privacy, efficiency, and integrity.

On July 24th, Daniel Wen, CEO of Decentralized Vulnerability Platform DVP, acted as the guest node ChainNode AMA, answering questions about the decentralized vulnerability platform and explaining why this model is the future development trend.

20190725181816

The following is the AMA highlights:

In one sentence, what is DVP doing?

"(We are) decentralized vulnerability reward platform and white hat self-governing community."

Daniel Wen further pointed out that the focus of DVP is to use the existing underlying technology to establish a trusted and private security information exchange platform between blockchain project parties, security practitioners and organizations. At the same time, establish a pass-based incentive Centralized autonomous community.

In the past year, DVP has been deeply immersed in the field of blockchain security in a low-key manner, focusing on the construction of vulnerability platforms, white-hat communities and vendor cooperation. It has achieved phased results: As of today, the DVP platform has registered more than 1.4 white hats. 10,000 people, covering more than 1,400 manufacturers, nearly 100 companies, and dozens of security teams, including more than 4,000 effective vulnerabilities. At present, the head manufacturers of the Bounty Program have 42 NEO, MXC, Gate, Bibox, F2pool and so on. DVP's in-depth partners include strengths in the security field such as White Hat, and Shield, with strong technical backing. DVP is already in the subdivision head position on the scale.

Relying on the economic model of “vulnerability is mining, safety and public measurement is mining”, its future will focus on two aspects of development: on the one hand, DVP is committed to attract more security practitioners from all over the world; In contrast, DVP will work with more blockchain projects to create products that are vulnerable to each project's vulnerability.

So, do ordinary users have the opportunity to participate in DVP governance? DVP will adopt the DPoS mechanism. In addition to the arbitration nodes led by professional security agencies, white hats and security teams, DVP holders can pledge nodes in the future to build common nodes, market education, event organization, and document writing. Participate in governance in the same way and get the corresponding incentives. DVP Pass is also based on the same principles as the classic Bitcoin and Ethereum: value creation and value sharing.

Do the decentralized vulnerability reward platform, DVP is more than one move?

Now that there are excellent security companies in the industry, such as PechShield, what is the significance of security testing? The concept of vulnerability rewards has been around for a long time. It is usually the direct contact between white hat hackers and related platforms and projects. What is the significance of DVP as a channel for communication between the two parties? The user has generated such doubts.

In response, Daniel Wen responded:

“The blockchain is an interdisciplinary technology, still in the early stage, the development and update speed is fast, and the lack of blockchain security practitioners leads to a large number of new weak links in the development of blockchain. With a single security team, it's hard to cover all the weak points."

When using a single security team, "One, the defense is difficult. The attack may involve a very wide range, so be sure to do a very comprehensive test when defending. The attack only needs one point, the defense must guard against many aspects. Second, the service is single. Sexuality, that is, sustainability issues. The services that security companies provide to you, or the security services you purchase, are often single-shot, that is, it only helps you detect it once."

“Safety testing can complement this issue, allowing more professional security researchers to more flexibly arrange time, look for vulnerabilities from all angles, and provide timely feedback to the project side for repair. The effect is paid. Only when a valid loophole is found, the project party needs to pay. Therefore, the security public test has the advantage of continuity and cost, and it does not conflict with the security service business. The two will jointly protect the security industry."

For DVP's role in the vulnerability reward, Daniel said:

"First of all, white hats communicate with manufacturers at a certain cost and risk. From the perspective of the manufacturer, if an individual communicates vulnerabilities and asks for rewards by privately contacting the manufacturer, a slight communication may cause the manufacturer to mistake it for extortion. It brings risks to the white hat itself, and the reward cannot be guaranteed. It is also possible to ignore the white hat and directly fix the vulnerability after the manufacturer obtains the details of the vulnerability."

"When the manufacturer operates the white hat community, it has a certain cost. Without the white hat community, even if the external statement is rewarded, many white hats may not be noticed. The advantage of DVP is that it has long-term accumulation and a stronger security team. White hat group exposure and coverage, as well as better business processes and richer business experience. After the company settles in, there will be a white hat to pay attention to, instead of building a security response platform and operating a white hat community, improve Vendor safety-related operational efficiency while reducing costs."

There are also two problems with the traditional public measurement platform, namely the issue of anonymization and reward distribution. The traditional rewards process needs to go through the bank, which is a bug in itself for the white hat that pursues anonymity. Daniel Wen pointed out:

"On the DVP platform, every white hat is an address. The rewards given by the manufacturer can also be directly issued by means of digital assets. That is, the white hat can be submitted anonymously, and the award is also granted anonymously. of."

"The establishment of a chain has several purposes. One is to ensure the confidentiality of the security information exchange process. For example, when a vulnerability is submitted, the vulnerability report of the public key is encrypted according to the vendor, and then the data is stored in the chain, as long as there is no The corresponding private key, any third party can not get the report details, which is determined by cryptography. The second is to verify the key links of the process, establish a verifiable and reliable data flow. The third is to guarantee the bonus process Reliability."

How is the vulnerability used to make evil?

As a vulnerability reward platform, DVP's vulnerability handling method is very important, otherwise it is easy to have loopholes used to do evil, which is also the most concerned issue for chain node users.

Daniel Wen said that DVP is mainly designed to prevent evil by technical and incentive design:

"The main two aspects are: technically, the asymmetric encryption of the blockchain is used for the secure transmission of security information, and the evidence transfer process is carried out. Incentives, using the pass for economic incentives, combined with the reputation based on the information on the chain. The system is to do evil and lose, and to do good and reward."

Daniel Wen explained that after receiving the vulnerability report, DVP will not directly announce it, but will contact the vendor of the vulnerability as soon as possible to remind him to fix it as soon as possible. After the bug is fixed, only a simple message will be posted to show the process of submitting vulnerabilities and receiving rewards between the white hat and the vendor, and will not disclose more details and cannot be used to do evil.

For some vendors that are unable to contact or refuse to cooperate with the repair of vulnerabilities, DVP will disclose its vulnerabilities as appropriate, in order to remind other vendors and users to prevent related risks in a timely manner. In addition, for some typical vulnerabilities, for the purpose of industry exchange learning, it will also be announced, but these types of vulnerabilities have been repaired and desensitized, and can no longer be used to do evil.

For all vulnerabilities, DVP will have professional personnel to conduct preliminary review and review. Finally, the vulnerabilities will be rated according to the relevant reward rules. When there are disputes, the security will be decided in conjunction with multiple security vendors.

Hard Core Dry Goods: Analysis of Common Vulnerabilities in Exchanges

As an important part of the blockchain ecosystem, the exchange is often the target of hackers because of the large amount of encrypted assets. Despite years of development, the exchange has made some progress in security protection, but it is still the "most dangerous place" in this industry. Therefore, such manufacturers have become the focus of DVP at this stage.

Daniel Wen shared several vulnerabilities common to exchanges in this AMA:

"There are a few common vulnerabilities here. Fake recharge vulnerabilities: The exchange does not strictly verify that the transfer is really successful when verifying the refill transaction, and there is no loophole in the verification of whether the balance has increased. The common solution is to recharge the user. After that, be sure to verify that the balance of the corresponding payment address has an equal increase.

SQL injection vulnerability: SQL injection attack is one of the common methods used by hackers to attack databases. This kind of vulnerability is caused by the developer directly introducing the external data into the SQL statement without security check. This kind of vulnerability will lead to the leakage of data in the platform database, and more serious, the data may be tampered with or even affected. Security to the server. A common solution is to use parameterized queries when using SQL statements, which need to be checked and filtered when receiving parameters from outside.

XSS Vulnerabilities: XSS vulnerabilities are one of the common ways that hackers attack clients. This kind of vulnerability is caused by the developer directly introducing the external data into the webpage without security check. When the web client is implanted with malicious code, the client's identity credential may be stolen (commonly known as hacking). Hazards such as leakage of sensitive information. A common solution is to pass security checks and filters when importing external data into a web page.

Logical Vulnerabilities: Logical vulnerabilities are one of the common means by which hackers attack platform services. This kind of vulnerability is caused by the lack of logic in programming and coding. Common logic vulnerabilities include arbitrary password reset (tampering with other people's passwords) and arbitrary binding. This type of problem is one of the most difficult to solve. It cannot be solved by relying on automated tools and simple protection. It needs to manually sort out the logic in the code and test it.

Safety is no small matter, community interests are heavy

Daniel Wen also highlighted his views on industry security and the core philosophy of DVP:

"Safety is a problem that requires constant attention. Even security companies cannot guarantee absolute security. DVP, PeckShield, and White Hat Exchange have released their own vulnerability bounty plans on the DVP platform. White hat hackers are welcome to conduct security tests. We always believe that detecting vulnerabilities and fixing vulnerabilities in a timely manner instead of avoiding vulnerabilities can avoid further harm."

“The blockchain is not a panacea. Decentralization is a gradual process. The maturity of matching projects is gradually advanced. This process requires the efforts of the team and requires the active participation of the community. Only the community actively participates and contributes to the project. A corresponding return can be achieved to ensure a balanced distribution of tokens, thereby promoting decentralization."

“DVP puts everything in the interest of the community!”

Small Eggs: DVP held the "blockchain security evolution theory" on the first anniversary of its birth, launched three major ceremonies, through online vulnerability mining contests, decryption games and offline hackathons, hoping to give back to the community and attract more white Hats and security agencies escort the blockchain. For more information, please visit the DVP official website dvpnet.io and the public number DVPNET, add the official customer service class (f1ndfreedom) to enter the community, get more content and surprises.

More AMA highlights poke here: https://www.chainnode.com/ama/357229