Since Internet is born, safety is crucial one annulus all the time. Although the groovy and safe system that derives alleviated on certain level partial safety risk, but cruel also showed a few issues: Wait for a problem like privacy, efficiency, sincere letter.
On July 24, go to a center changing chain link of be a guest of Daniel Wen of presiding apparitor of flaw platform DVP to nod ChainNode AMA, solved for the user about the problem that goes to a center changing flaw platform, explained why the trend that this one mode can be prospective development.
It is this second AMA a collection of selected specimens below:
What does a word explain DVP is being done? "(we are) go to a center changing platform of flaw offer a reward and community of manage of white hat autonomy. "(we are) go to a center changing platform of flaw offer a reward and community of manage of white hat autonomy..Daniel Wen points out further, the key of DVP depends on using already some rock-bottom technologies build project of catenary of an area piece square, safety is mixed from personnel of course of study between the organization authentic, the safe information of privacy exchanges platform; Build to be based on those who open card drive to go to a center changing autonomic community at the same time.
Go one year, DVP is in all the time low-key deep ploughing domain of safety of area piece catenary, on the construction that puts the emphasis in community of flaw platform, white hat and firm cooperation, already obtained level sex positive result: Up to today, DVP platform registers white hat to exceed 14 thousand, cover many 1400 firm, into be stationed in manufacturer close a hunderd schools, into be stationed in safe group tens of homes, collect 4000 many effective flaw. The head firm that releases money reward plan at present has NEO, MXC, gate, bibox, f2pool 42. The deepness partner of DVP includes the actual strength of the safe domain such as aegis of Bai Maohui, clique to send, have powerful technical backup force. On dimensions DVP has been in fractionize head position.
Rely on at " flaw digs mine namely, safety is numerous measure dig mine namely " economic mode, its did not come the focusing development at two respects: On one hand, DVP devotes oneself to to attract the safe practitioner inside limits of more whole world to join; On the other hand, DVP is met and more areas piece catenary project cooperates, establish the product of the flaw offer a reward that fits every project.
Whether does so average user have an opportunity to participate in DVP to administer? DVP will use DPoS mechanism, besides by professional security orgnaization, white hat is mixed besides the arbitral node of safe group dominant, future of the person that DVP understands card hold can pass node impawn, build common node in all, market education, mobile organization explains to public, the means such as document compose participates in processing, acquire corresponding drive. DVP understands disease also is to act on as same as lane of classical bit money, aether principle: Value is achieved in all, value is shared.
Do a center to change platform of flaw offer a reward, is DVP bring owls to Athens?There is preeminent safe company inside the industry now, be like PechShield, is safety numerous does measured content where? The notional long-standing of flaw offer a reward, it is white hat hacker and relevant platform and project have direct connection normally, and does the channel sense that DVP communicates as both sides where? The user generated such doubt.
To this, daniel Wen made a response:
"Area piece catenary is interdisciplinary technology, still be in inchoate phase, development replaces rate fast, together with area piece deficient of catenary safety practitioner, the conference in bringing about area piece catenary to develop a process appears ceaselessly many, new weak point, rely on single safe group merely, cover all slight weak points very hard. Cover all slight weak points very hard..When using onefold and safe group, "One, defend difficulty is great. The range that attack may involve is very wide, when defending so, should accomplish without fail special and comprehensive detect. Attack needs to nod only, defend should prevent a lot of. 2, the service is only second sex, namely durative problem. Safe company gives you offerred service, the safety that perhaps says you are bought serves, often be odd of second sex, that is to say, it helps you detect only. It helps you detect only..
"Safety is numerous measure can form very good complement to this problem, the safe research personage that makes more professional is more agile the ground arranges time, go seeking loophole from each angle, seasonable feedback just undertakes repairing to the project. And this one process is " pay fee by the effect " , when finding effective flaw only, the project needs to pay fee just now. Accordingly, safety is numerous measure have durative with cost cost advantage, with safe service business also does not conflict, both will escort the Emperor for safe industry jointly convoy. Both will escort the Emperor for safe industry jointly convoy..Be in to DVP the action in flaw offer a reward, daniel expresses:
"Above all, white hat and manufacturer are communicated have a place difficult of access of fixed cost zephyr, from the point of firm point of view, if the individual passes furtive connection to the means of the manufacturer reports flaw and ask for award, communicating undeserved likelihood to be able to let a manufacturer think by accident a little is to be in extortionate, bring a risk to white hat oneself, and award cannot get ensuring, white hat of the oversight after flaw detail gets in the manufacturer immediate repair flaw also is possible. " " community of firm operation white hat has fixed cost, without white hat company group, although state external flaw offer a reward, a lot of white hats also can not notice certainly. And the advantage of DVP is being accumulated for a long time at having, more powerful safe group collaboration is square, white cap group exposure and enclothe, have more perfect business flow and richer business experience at the same time. The manufacturer is entered there can be white hat to pay close attention to immediately after be stationed in, and need not build safety to answer company of white hat of platform and operation again group, improve the operation efficiency related manufacturer safety, reduce cost at the same time. Reduce cost at the same time..The tradition is numerous measure platform to also be put in two problems, it is faceless respectively change and reward extending problem. Traditional award extends flow needs to pass a bank, itself is a Bug for this faceless to pursuit white hat. Daniel Wen points out:
"On DVP platform, each white hat is an address. The award that the manufacturer gives also can use the means of digital asset to extend directly. That is to say, white hat can be accomplished faceless refer, and this is rewarded awarding also undertake with faceless means. " " build a catenary to have a few objectives, it is the confidential sex that ensures safe information to exchange a process, for instance, when referring flaw, can offer pair of fair key to undertake adding to flaw report according to the manufacturer close hind, deposit data again go up in catenary, the illicit key with corresponding short of, any tripartite cannot get report detailed information, this learns a decision by the password. The 2nd be this flow each key link collects card, build but the data with credible test and verify flows. The 3rd it is the dependability that makes sure award golden hair lets off Cheng. " is flaw used to how is do evil broken?Regard offer a reward of a flaw as platform, the flaw processing means of DVP is very important, appear very easily otherwise flaw is divulged be used to the problem of do evil, this also is the problem that catenary node netizen cares most.
Daniel Wen expresses, the design that basically goes up from technology and drive prevents DVP do evil:
"Basically be two respects: On the technology, the asymmetry that uses area piece chain is added close have safe information directional deliver, and deliver a process to collect card to the message. On drive, use a card to have economic drive, combine the fame system that is based on the information on catenary to accomplish do evil to have a loss, do good works has money reward. Do good works has money reward..Daniel Wen explanation says, after receiving flaw to report, DVP won't be announced external directly, however contact flaw place to belong to a manufacturer for a short while, remind its as soon as possible repair. After flaw rehabilitate, meet only fair show a simple and easy information, flaw and the process that receive award are referred in order to show between white hat and manufacturer, can not disclose more detail, cannot be used to do evil.
To the manufacturer that the part cannot get in touch or refus does not deserve to close repair loophole, DVP meeting take into consideration the circumstances announces its flaw, the purpose is to remind other firm and user to be on guard in time relevant risk. In addition, to a few flaw that have typical sense, stem from the purpose that industry communication learns, also can undertake announcing, but this kinds of flaw all is already after repair and desensitization, also can no more be used to do evil.
To all flaw, DVP can have professional staff have first trial, review a case, have grade to flaw according to regulation of relevant offer a reward again finally, put when controversy when flaw, can combine many safe manufacturer to have vote.
Hard nucleus dried food: Bourse is common flaw is analyticWhat bourse regards area piece catenary as zoology is important one annulus, because put,have a large number of adding secret capital fund, constant regular meeting becomes the target that the hacker atttacks. Although experience old development, bourse defends in safety the respect gained certain headway, but still be this industry " the most dangerous place " . Because this kind of manufacturer shows level,made the focal point that DVP pays close attention to.
Daniel Wen shared the flaw with a few common bourse in this second AMA:
"Here lists a few common flaw simply. Pretend to be is worth flaw: Bourse turns without strict test and verify when test and verify fills a value to trade whether does Zhang succeed really, and whether to have without remaining sum of test and verify increase a kind of leak that cause, common solution charges a cost in the user namely later, must whether does the remaining sum of the gathering address with corresponding test and verify have wait for the forehead to increase.SQL infuse flaw: SQL infuse attack is one of commonly used mediums that the hacker has atttacking to the database. Because develop personnel to check what in carrying SQL sentence directly, bring about without crossing safety when introducing outside data,this kind of flaw is, this kind of flaw can bring about the data inside platform database full let out, more serious can bring about data to be distorted, affect the safety of the server even. Common solution uses parameter to turn inquiry when use SQL statement namely, in receive come from external examination of course of the need when parameter and filter.
XSS flaw: XSS flaw is one of commonly used mediums that the hacker has atttacking to client end. Because develop personnel to check what in taking a webpage directly, bring about without crossing safety when introducing outside data,this kind of flaw is, carry when webpage client by embedded ill will when code, the identity evidence that may cause generation client to carry by filch (common calls pilfer date) , the harm such as sensitive information leak. Common solution is in namely when introducing outside data to arrive in the webpage, check through safety first and filter.
Logical flaw: Logical flaw is one of commonly used mediums that the hacker has atttacking to platform business. Because be when programming, encode,this kind of flaw is, logic is not rigorous bring about, common logical flaw has aleatoric password replacement (distort others password) , random changes bind wait for a type. This kind of problem is belonged to most scabrous a kind, the tool that cannot depend on automation and defend simply will solve, need a person to be versed in the logic with pair of medium code undertakes combing and the test will solve. Need a person to be versed in the logic with pair of medium code undertakes combing and the test will solve..
Safety does not have bagatelle, community interest is heavyDaniel Wen still emphasized the core concept of his safe to the industry view and DVP particularly:
"Safety is a problem that need pays close attention to continuously, even if safe company also cannot hundred assure absolute safety, DVP, PeckShield, Bai Maohui released his flaw money reward to plan on DVP platform, welcome white hat hacker to have safe test. We believe from beginning to end, discover flaw in time, repair flaw, is not evasive flaw, ability avoids to cause greater harm. " " area piece catenary is not all-purpose, going to a center changing is the process of a successive, want to match the maturity of the project to be advanced stage by stage. This process needs the effort of the group, need community more take an active part in. Have a company only group take an active part in, be contributed for the project and win corresponding get one's own back, ability makes sure Token distributive is balanced, promote thereby go to a center changing. " " DVP attachs most importance to everything with community interest! " " DVP attachs most importance to everything with community interest!!