You are viewing a single comment's thread from:

RE: SPS Governance Proposal - Pay Bug Bounty to louis88

in #spsproposal7 days ago

When he wrote the post, he had already reported the bug, waited for response and gotten that... well, unprofessionally from what I know. The DAO states above that they patched the issue within 30min of receiving the report. Louis Article was on April 8th, the patch notes in the link say it was done April 21st. So that "within 30min" is a lie?

7 days ago in #spsproposal by
$0.00
    1 vote
    • and 1 more
    Reply 10
    Sort:  
  • Trending
    • [-]
     7 days ago  

    The linked Article is in no way related to that on the 21st. It's more how some Pages show and handle User Input. For the one on the 21st it were roughly fixxed i would say under 30 mins since Dev instantly understood what needs to be fixxed.

    Vuln Discovered: ~8:00pm
    Vuln Tested: 8:23pm
    Vuln Reported: 9:15pm
    Call with DAO + Developer: 9:15p for roughly 40 mins
    Patched: ~9:24pm

    iirc.

    $0.05
    • Pending payout amount: $0.05
    • Breakdown: 0.00 HBD, 0.00 HIVE, 0.79 HP
    • Payout in 1 hour
    4 votes
    Reply
    [-]
     7 days ago  

    Great work! And the amount of tokens in danger should've been put into the proposal. Now it makes more sense. That was $4.8M in danger, so 5k seems a lot more reasonable now.

    [-]
     7 days ago  

    It seems people misunderstood.The post from louis88 they are referring to talks about a totally different vulnerability. He wrote about a vulnerability that could affect anyone who simply visits the site, probably a minor vulnerability like an IP leak.

    The one he is asking the bug bounty for is a very critical one. He got access to 1.2B SPS tokens in the validator software. Imagine if a malicious hacker had access to that amount of tokens, they could have drained the whole SPS liquidity pool and dropped the price to zero.

    Also, people are using penetration test prices as a reference, which is wrong. A penetration test is paid hourly, whether they find a vulnerability or not. In bug bounty the work is done for free, and payment is only made if a valid vulnerability is found.

    $0.02
    • Pending payout amount: $0.02
    • Breakdown: 0.00 HBD, 0.17 HIVE, 0.17 HP
    • Payout in 1 hour
    4 votes
    Reply
    [-]
     7 days ago  

    ooooooh okay, thanks for clarifying that!

    $0.00
      Reply
      [-]
       7 days ago  

      Thank you for the clarification; the situation is now clearer. That said, my original concern remains: this matter should have been handled privately. Publicly announcing the discovery of a vulnerability in a well-known Hive "platform" can inadvertently draw attention to the broader Hive ecosystem and increase risk.

      One could also argue that heightened focus on Hive-related platforms may encourage additional vulnerability research by malicious actors. While bridge infrastructure is generally understood to be a common attack surface, the recent Hive Engine bridge incident underscores the importance of responsible disclosure. It also raises the broader question of how many other undiscovered vulnerabilities may still exist across the Hive ecosystem...

      $0.00
        Reply