ADA Bug Bounty Website

[IMPACT] Please describe your proposed solution.

Target Market

With over a thousand projects currently in the Cardano ecosystem and many more in the works, there will be no shortage of users. The Cardano Foundation recognized the power of this model in August 2021 by teaming with HackerOne to provide bounties for security vulnerabilities within the Cardano codebase.

https://cardanofoundation.org/en/news/bug-bounty-program-with-hackerone-announced-for-cardano%E2%80%99s-blockchain/

Extending this capability to all Cardano projects through a simple to use website just makes sense.

Website Details

User Identity

The website will allow a user to connect their Cardano wallet to the site. Without a wallet connection, the site will be read only. Once a wallet is connected, it will act as the user’s login/identity and the site will no longer be read only. The user will have the option to attach an alias, small avatar, an email, and a website URL to their wallet. If they add this additional data, then they will be required to sign arbitrary data with their wallet before they can log into the site. The resulting signature will then be verified to confirm or deny the user’s login.

Bounty Submission and Storage

A simple form will be available for a bounty creator to fill out. The metadata required for the bounty will include: who created it (project name or person’s alias/name), a bounty category, a problem statement, the reward amount in ADA/native token, the success criteria, how to claim the bounty, optional tags, an optional website URL, and an optional time frame for completion (up to 1 year).

There will be error checking on the submission to include that the required fields are filled out along with some specific validity checking per field. After filling out the form, the creator will be able to review their bounty before a final submission. The final submission will generate a transaction to store the metadata on the Cardano blockchain. There will be a small service fee (<= 3 ADA) collected with it along with the Cardano network fee. The submission data will also be parsed and stored in an ElasticSearch repo. This ElasticSearch repo will allow the bounties to be fully searchable via free text search, token type and amount, creator, and tags.

Creators will be able to view all of their bounties in their dashboard view.

Bounty Hunting

A bounty hunter will be able to use search and listing capabilities to find bounties that they are interested in. A comment thread will be available for each bounty for additional comments and questions. Once a hunter finds a bounty they are interested in, they can bookmark it for easy retrieval on subsequent site visits. These bookmarked bounties will be viewable on their dashboard.

It’ll be up to the bounty hunter to contact the creator and present the evidence required for collecting the bounty as directed by the creator.

Claiming a Bounty

The success criteria given by the creator will be the final marker as to whether a solution should receive the bounty or not. A bounty hunter will be required to follow the creator’s instructions for claiming the bounty. The creator will need to review the submission against the success criteria and determine if the criteria is met.

Bounty Closing and Expiration

A bounty can be closed by the creator at any time regardless of its status. Closure by the creator will be recorded on the blockchain via a transaction and also recorded in the ElasticSearch repo. 

The creator must add the transaction ID for the bounty reward as part of closing the bounty if they want it to be marked as successful. The transfer amount from the bounty transaction will be verified and checked against the bounty reward. If the transfer amount meets and/or exceeds the declared bounty reward, the system will mark the bounty as successfully resolved. If the reward is lower than the declared bounty reward, then the system will mark the bounty as being partially successful. If the bounty is closed without a resolution, the system will mark it as unsettled.

A bounty will be marked expired if the creator creates an end date for the bounty and the bounty is not yet closed by the creator. In this case, only the ElasticSearch repo will be updated to indicate that the bounty is expired. It will still be up to the creator to create a transaction to close a bounty.

For a bounty with no end date, if no comments or changes have been recorded for a 6 month period, the bounty status will be recorded as stale. It will be up to the creator to change the status of the bounty back to active. This will prevent clogging the system up with orphaned bounties.

Assurances

Multiple metrics for creators and hunters will be collected to help provide assurances for the community and accountability for creators and hunters. These metrics can be nuanced, so it will be up to each user as to whether or not they want to work with another user based on these metrics. 

This is the initial list of metrics that will be available.

• Creators
• Percentage of successfully closed bounties vs all bounties
• Percentage of partially successful bounties vs all bounties
• Percentage of unsettled bounties vs all bounties
• Percentage of expired bounties vs all bounties
• Percentage of stale bounties vs all bounties

• Hunters
• Number of successful bounties claimed
• Number of partial bounties claimed

There will be milestones for successful bounties for both creators and hunters. As they cross the threshold for these milestones, they will be given the option to mint an NFT with their status for a service fee (<= 5 ADA) plus the Cardano network fees. For the purpose of this proposal and the initial project capabilities, these NFTs will have no intrinsic value other than as a symbol of the holder’s status on the site.

Website Implementation

Tech Stack

Cardano metadata and wallets will be the backbone for the project. The website will be an Angular project. The Cardano metadata for a bounty will be stored on the Cardano blockchain to provide immutability. In addition to that, it will be parsed and stored in ElasticSearch. Bounty comments and system metadata will be stored in ElasticSearch.

Parsing and storing this data in ElasticSearch will allow for a number of capabilities to the site:

• Free text search of the problem statement, success criteria, and other fields
• Search by tags
• Search by creator
• Search by award token
• Search by amount of tokens
• Allow search by any combination listed above

List of technologies and libraries to be used for implementing the website:

• Multiple Cardano wallet browser extensions (as many as possible)
• Cardano Browser Library
• Angular
• Java
• SpringBoot
• ElasticSearch (will allow more flexibility, capability, and scalability over similar solutions) 
• AWS Cloud hosting (chosen based on developer's experience)
• Github (this project will be opensource allowing full transparency and community interaction)
• Node.js

Revenue

A small service fee (<= 3 ADA) will be applied to every proposed bounty. This fee will be in addition to the Cardano network fee for submitting the transaction. There will be no fees associated with commenting on a bounty. There will be no service fees associated with closing a bounty but there will be a Cardano network fee.

In the future, holding certain NFTs, delegating to specific pools, and/or holding a particular native token could be used as a way to waive or lower the service fee.

[IMPACT] Please describe how your proposed solution will address the Challenge that you have submitted it in.

This project addresses all three success categories listed in "F9: Dapps, Products & Integrations".

Increasing the number of dapps and products available for the community to use that help to enrich the ecosystem with new use cases.

This project will combine leading Web2 solutions with Cardano Web3 libraries. The world is full of amazing developers who have limited to zero Web3 experience. This project will show that moving into the Web3 space is easier than it’s ever been.

The site itself will be a tremendous resource for those new to Cardano development and current developers.

Increase the number of integrations that bring existing solutions together for a more seamless and connected experience between different products.

Projects will list their bounties on a public website. Any Cardano project or developer can search these bounties and if their product or skills fits the bounty, then symmetry could be found. Finding symmetry with other projects can bring massive value to both parties. This ultimately will bring more capable and mature APIs and products to the Cardano ecosystem.

Increased quality of existing products & integrations through suggested improvements that is supported by customer feedback or increased usage by the community.

The bounty rewards will incentivise the community to get involved in the development of the Cardano ecosystem. Bounties are typically awarded to someone who finds security and/or critical bugs within existing or developed software. Bounties can also be awarded for helping the creator through a coding problem. In both cases, the security and quality of the product can be increased through this community collaboration.

[IMPACT] What are the main risks that could prevent you from delivering the project successfully and please explain how you will mitigate each risk?

The traditional technologies being used have been around for a long time. They have been vetted through many years of usage and development. They are extremely low risk.

The Cardano wallet and browser libraries are fairly new, but have been being used for a number of projects already. There are some risks that the wallet API and/or capabilities change, which would then require changes to the site. The wallets and browser libraries that are implemented will be followed to track any potential breaking changes. Updates to the system will be made to mitigate those changes.

Overall, the project’s main risk is the funds required for setting up and hosting the website and services. Having this project funded through Catalyst would mitigate this risk.

[FEASIBILITY] Please provide a detailed plan, including timeline and key milestones for delivering your proposal.

There are multiple milestones for the development and delivery timeline. The capabilities listed for each milestone are high level in some cases. Further breakdown would be addressed during issue creation in the GitHub repository. The time listed per milestone is in calendar time and not total development hours.

After Milestone 5, the initial capabilities stated in this proposal will be completed. Any development after that time will be considered maintenance and enhancements. Costs associated with this development will be covered by this proposal for the remainder of the first year. After the first year, service fees will be used to cover further development activities.

Milestone 1 (4 months)

• Create the opensource repository
• Add the capabilities and issues listed here into the repo
• Assign milestone indicators for each of the added capabilities and issues
• Purchase the domain
• Develop initial website capabilities
• User shall be able to connect their Eternl or Nami wallet to the website
• User shall be able to connect user metadata with their wallet
• Creator shall be able to submit a bounty through a Cardano transaction
• System shall be able to collect the service fee for bounty submission
• User shall be able to bookmark a bounty
• Creator shall be able to close a bounty
• User shall be able to perform a basic keyword search for bounties
• System shall be able to expire bounties
• System shall be able to mark bounties as stale
• System shall record bounty closure status metrics
• System shall allow for sorting bounties by date submitted, closure date, and reward amount
• Setup the cloud infrastructure for mainnet and testnet
• Setup the DNS entries
• Beta build testing (starting after 3 months)
• Deploy beta build to testnet
• If errors are found:
• Fix the build
• Repeat testnet deployment and re-test
• If no errors are found:
• Finalize build
• Deploy Version 1 to mainnet

Milestone 2 (1 month)

• Address any critical issues for the deployed version
• Capture user feedback that makes sense into Github issues
• Add additional capabilities
• User shall be able to comment on a bounty
• User shall be able to use additional search/filter capabilities to include
• Tags
• Categories
• Creator
• Token Amount
• Token
• Beta build testing (starting after 3 weeks)
• Deploy beta build to testnet
• If errors are found:
• Fix the build
• Repeat testnet deployment and re-test
• If no errors are found:
• Finalize build
• Deploy Version 2 to mainnet

Milestone 3 (1 month)

• Address any critical issues for the deployed version
• Capture user feedback that makes sense into Github issues
• Refine existing capabilities based on user feedback (usability focus)
• Add additional capabilities
• User shall be able to see the overall system metrics to include (but not limited to)
• Total number of bounties on the site over time
• Total number of bounties for each available status over time
• Total number of users over time
• User shall be able to see their metrics to include (but not limited to)
• Number of bounties proposed and their statuses
• Number of bounties claimed and the reward amount
• Total reward bounty collected
• System shall allow for summary reporting on other users of the system
• User shall be able to filter bounties based on creator metrics such as percent of successful bounties and total bounties
• Beta build testing (starting after 3 weeks)
• Deploy beta build to testnet
• If errors are found:
• Fix the build
• Repeat testnet deployment and re-test
• If no errors are found:
• Finalize build
• Deploy Version 3 to mainnet

Milestone 4 (1 month)

• Address any critical issues for the deployed version
• Capture user feedback that makes sense into Github issues
• Refine existing capabilities based on user feedback (usability focus)
• Add additional capabilities
• System shall define thresholds for NFT awards
• User shall be able to mint NFTs that they are awarded
• Beta build testing (starting after 3 weeks)
• Deploy beta build to testnet
• If errors are found:
• Fix the build
• Repeat testnet deployment and re-test
• If no errors are found:
• Finalize build
• Deploy Version 4 to mainnet

Milestone 5 (1 month)

• Address any critical issues for the deployed version
• Capture user feedback that makes sense into Github issues
• Refine existing capabilities based on user feedback
• Beta build testing (starting after 3 weeks)
• Deploy beta build to testnet
• If errors are found:
• Fix the build
• Repeat testnet deployment and re-test
• If no errors are found:
• Finalize build
• Deploy Version 5 to mainnet

Maintenance mode (4 months)

Total Development Time: 8 months

Total Maintenance Time: 4 months

Total Time: 1 year

[FEASIBILITY] Please provide a detailed budget breakdown.

Senior Full Stack Developer (pre-tax): $48,600

This line item pays for 540 hours of a Senior Full Stack Software Developer’s time at a rate of $90/hour. 480 hours are dedicated through Milestone 5. 60 hours are dedicated to maintenance after Milestone 5 is completed.

Responsibilities for this role include (but are not limited to):

• UI/UX design
• Wallet integration
• Server infrastructure setup and deployment
• Development hours
• Documentation and FAQs
• Testing and QA
• DevOps

Service Hosting and Infrastructure for 1 Year:  $5000

• Domain registration and DNS Services
• Testnet
• Website hosting (single EC2)
• ElasticSearch Cluster (single EC2)
• Mainnet
• Scalable website hosting
• Load Balancer for the website
• Scalable/load balanced ElasticSearch Cluster

Marketing: $1500

• Time spent for interviews
• Time spent for social media posts and social interactions
• Graphics and video creation

Total Budget

$55,100

[FEASIBILITY] Please provide details of the people who will work on the project.

Steve Fisher has been in the software field for over 23 years now. In addition to developing and fielding full stack solutions, he’s led teams though multiple system, preliminary, and critical design reviews. He has been involved in customer training for the products and services he has delivered and he’s used that time to push added value back into those projects.

He created a small LLC named Swift Crypto LLC ( https://www.swiftcryptollc.com )to mine Ethereum in 2021. Looking to the future, he became a Cardano enthusiast and single stake pool operator for ADA for Warriors https://4wardpool.swiftcryptollc.com. He is a core member of the FreeLoaderz Cardano group as well as a member of the Cardano SPA and xSPO alliances.

With FreeLoaderz, he is the lead web developer for SmartClaimz. The testnet version can be found here: https://rwd.freeloaderz.io and the repo for the front end can be found on FreeLoaderz’ Github here: https://github.com/FreeLoaderz/rwd-frontend

Additional information can be found on Steve’s LinkedIn page:

https://www.linkedin.com/in/stevenkfisher/

The FreeLoaderz team will be one of the early users of the bounty site. Their testing and feedback during the testnet phase will be used to tweak usability issues and find any critical issues with the system.

[FEASIBILITY] If you are funded, will you return to Catalyst in a later round for further funding? Please explain why / why not.

Further funding for this effort will not be requested. This is a self-contained proposal to create, deploy, and give some maintenance runway to this bounty website. The funding requested in this proposal will cover the cost of site hosting and developer maintenance for the first year. If the community embraces this Bounty project, the site revenue should continue to cover the costs beyond that time frame.

[FEASIBILITY] Are you or any member of your team working on any other proposals in this Fund9?

[FEASIBILITY] Are you or your team working on any other proposals from previous Funds?

[AUDITABILITY] Please describe what you will measure to track your project's progress, and how will you measure these?

The Github repo will contain a list of tasks/issues that need to be completed. These tasks are tied to project milestones. Each milestone has an end date. Progress will be measured by completing these tasks for the current milestone before the milestone end date.

[AUDITABILITY] What does success for this project look like?

There a number of metrics that will define success:

• The community is using the bounty site
• Bounties are being successfully resolved, claimed, and rewarded
• Cardano project security, usability, and maintainability is increased through these bounties
• Cardano projects with similar problem sets or complimentary solutions find each other and start collaborating
• Other developers bring in ideas to further expand the site’s capabilities

[AUDITABILITY] Please provide information on whether this proposal is a continuation of a previously funded project in Catalyst or an entirely new one.

This is a new proposal.