Published Blog: My Google Summer of Code 2023 Experience
OWASP BLT (Bug Logging Tool) is a robust platform enabling internet users to report issues, ranging from design flaws to security vulnerabilities, all within the bounds of responsible disclosure ethics. One unique aspect of BLT is its incentivized bug reporting, rewarding users with points that can be further augmented through verification. Additionally, the platform extends to organizations, allowing them to launch bughunt programs with prizes, promoting proactive vulnerability management. Overall, OWASP BLT serves as a pivotal tool for enhancing online security and promoting responsible disclosure practices.
- Company Analytics section
- Manage Hunts section
- Manage Domains section
- Manage Company Roles section
The incorporation of a revamped company dashboard stands out as a pivotal enhancement in the project. It empowers users to seamlessly create companies using company email addresses, and offers comprehensive management capabilities for domains, bughunts, issues, and company users. This centralizes crucial operations within a unified dashboard, optimizing efficiency and user experience.
PRs:
- PR #1262 Feature/company dashboard
- PR #1287 fix company dashboard UI-responsiveness
- PR #1302 Feature: new start bughunt
The overhauled issue page represents a significant upgrade, addressing the limitations of the previous design. Notably, it now provides users with the capability to create comprehensive and detailed reports using Markdown formatting. This facilitates clearer and more structured communication of issues. Additionally, the new issue page introduces the pivotal functionality of "Accepting/Declining" reported bugs. This empowers the company to effectively verify and validate reported bugs, a feature absent in the previous design.
PR:
- PR #1377 New Issue Page
The enhanced report bug page introduces a host of new features to improve bug reporting efficiency and accuracy. Notably, the previous limitations of not being able to submit bugs to ongoing bughunts have been effectively addressed. Furthermore, the integration of tagging functionality allows users to precisely categorize issues, not only by bughunts but also by teammates. This tagging capability streamlines issue tracking and resolution. Additionally, the inclusion of detailed bug reports using Markdown provides a comprehensive medium to articulate issues. The revamped design of the report page, constructed using Tailwind components, contributes to a more intuitive and visually appealing user experience. PRs:
- PR #1305 Feature: Mention Bughunt on the reported Bug
- PR #1285 fix report a bug responsiveness and issue2 routes
- PR #1276 Improved UI and logic for report a bug page
- PR #1250 Feature: Revamp Report a bug page with private bug reporting
The creation of the View Hunt Manage Page addresses the need for a comprehensive platform to view, create, edit, and delete Bughunts. This page provides crucial features, such as Hunt statistics, Markdown descriptions, customizable prices, leaderboards, and automated announcements of winners based on user rankings.
PR:
- PR #1302 Feature: new start bughunt
The enhanced View Domain Page boasts an improved user interface and encompasses statistical data, basic information, reported issues, and top testers associated with a specific domain.
PR:
- PR #1262 Feature/company dashboard
The introduction of the New List Hunts Page simplifies the exploration of ongoing Bughunts. This page features filters for searching upcoming, ongoing, and concluded hunts, and allows searches based on specified date ranges.
PR:
- PR #1363 List hunt page integrated with backend with filter support
The Invite a Friend API empowers the mobile app to invite users. While the initial plan included integrating the BACON coin with the Invite Friend feature, the current implementation focuses on sending email invitations.
PR:
- PR #1364 invite friend api viewset and url
To accommodate changes in the Hunt model, the View Bughunt API underwent enhancements. This adaptation ensures consistent user experiences, especially concerning custom prizes.
PR:
- PR #1304 Feature: Support new model changes in new Bughunt API
{
"count": 3,
"next": null,
"previous": null,
"results": [
{
"id": 19,
"name": "Hunt 11 Updated",
"description": "dasdasdasda\r\nsd\r\nasdasdasdasd",
"url": "https://www.bugheist.com",
"prize": null,
"prize_winner": "0.00",
"prize_runner": "0.00",
"prize_second_runner": "0.00",
"logo": "/media/logos/2e3c37afc-d634-4933-b9e2-4f05e6e3a7c9.png",
"banner": "/media/banners/28ae4b773-e749-435f-b856-a492c9970289.png",
"plan": "",
"txn_id": null,
"color": null,
"created": "2023-07-27T06:42:24.846190Z",
"starts_on": "2023-07-27T00:00:00Z",
"end_on": "2029-01-12T00:00:00Z",
"is_published": true,
"result_published": false,
"modified": "2023-07-27T08:09:08.225947Z",
"domain": 1,
"prizes": [
{
"id": 7,
"name": "Winner 1",
"value": 1000,
"no_of_eligible_projects": 1,
"valid_submissions_eligible": false,
"prize_in_crypto": true,
"description": "dasdasdasdasdad",
"hunt": 19
},
{
"id": 8,
"name": "Winner All",
"value": 1000,
"no_of_eligible_projects": 1,
"valid_submissions_eligible": true,
"prize_in_crypto": true,
"description": "asdasdsdasdasd",
"hunt": 19
}
]
},
}
The implementation of an API rate limiter optimizes request limits for various environments, maintaining performance. Different throttle limits are set for testing and production environments.
PR:
- PR #1247 Support for API rate throttling
Private Issue Reporting enables users and bughunts to submit bugs privately, viewable only by domain managers for verification. Domain managers can choose to make verified reports public.
PR:
- PR #1250 Feature: Revamp Report a bug page with private bug reporting
For creating BACON i’ve used the Geth cli tool which is used to create private/independent chains using Ethereum. I was successfully able to create a chain by developing 2 nodes and connecting them using bootnode. Initially Minted 120.20 M coins (default eth supply) to my ethereum address. Using those tokens I successfully deployed a smart contract.
Project URL: https://github.com/OWASP/BLT-Bacon
A significant shift has occurred in the BACON project's direction. Following insightful mentor advice and considering factors like high Ethereum gas fees, the decision was made to transition from Ethereum (ETH) to BitcoinPOS (Proof of Stake) for BACON development. The move aims to reduce resource demands and improve project efficiency.
As part of this adjustment, we're now focusing on BitcoinPOS implementation via a hard fork. This involves setting new chain parameters and creating a fresh genesis block. To stay updated on our progress, please refer to the work-in-progress project repository:
Project URL (Work in Progress): Bacon over BitcoinPOS
- Created a tool which automatically replaces/remove a user info from .git history (for privacy reason's) Git Username Replacer/Remover
- Creating chain through bitcoinpos hard fork
- Creating custodial wallet on backend
- Integrating custodial wallet with backend to implement reward system
My journey through GSoC has been incredibly rewarding, marked by numerous challenging aspects that pushed me beyond my comfort zone. Faced with entirely new territories, such as Figma and design, I initially grappled with the unfamiliar. The process of translating ideas into tangible designs proved daunting, but a breakthrough came with the introduction of Tailwind Components. This revelation streamlined the design process, making it significantly more accessible and intuitive.
My introduction to blockchain was equally formidable, as I embarked on the ambitious task of constructing BACON from the ground up. Devoid of prior experience in this complex field, the learning curve was steep. Undeterred, I undertook an immersive journey into blockchain fundamentals, mastering concepts from scratch. The pivotal moment arrived when I successfully constructed a chain using Geth and implemented POA consensus (Proof of Authority). This hands-on experience allowed me to premine coins, deploy a local smart contract, and acquire essential blockchain knowledge.
The culmination of this journey extended beyond GSoC, as my newfound expertise in blockchain propelled me to secure victories in two Web3 hackathons. This testament to my growth underscores the transformational power of perseverance, curiosity, and dedicated learning.
- Although I have successfully executed the majority of the proposed website-related tasks, there remains room for further enhancements and optimizations. My immediate focus will involve addressing and refining the existing codebase.
- Additionally, I intend to fulfill the missed tasks, which encompass reimplementation of the blockchain using BitcoinPos, deploying nodes on AWS servers, and seamlessly integrating BACON with the backend to establish a comprehensive reward system.
@DonnieBLT has proven to be an exceptional mentor with a remarkable approach to mentoring. Despite not having a personal connection, his guidance has been invaluable through regular huddles and thorough code reviews. His expertise in altcoin development, which I initially lacked, was generously shared, aiding my understanding and progress. Donnie's openness, receptiveness to ideas, and willingness to assist new contributors have created a positive atmosphere. I'm eager to carry forward the principles he instilled in me to contribute effectively to the BLT project and help new contributors.
@just-ary27, my second mentor, has played a significant role in aiding and guiding me throughout the process. He provided valuable assistance in terms of feature reviews, offering suggestions to enhance them, and guiding me in shaping the overall user interface concepts. Despite my lack of proficiency in design, he equipped me with excellent resources for reference. His straightforward approach was truly helpful, as he could identify both unnecessary and crucial elements with precision.
I express my heartfelt gratitude to both mentors for their invaluable guidance and unwavering support throughout my GSoC journey.