Steemit opens the door to its source code
With Steemit and Steem's source code open to the public eye some people have expressed their concerned about making the job of a hacker easier in respect to discovering issues with the code it self and using that information to exploit the system and derive personal profits. Such as with 'The DAO' the code was open and this transparency left it open to attack which ultimately resulted on $60 Million USD being drained from the DAO itself.
This transparency is a double edged sword; it is great for the platform as a whole as it allows independent analysis of the code and added credibility that things are being done right or public suggestions on how the platform maybe improved. On the flip side; it is this very same independent analysis that can lead to attacks on the platform and heart ache in the community.
In terms of the DAO and with Steemit itself previous hacks have not gone unnoticed and have not resulted in the large payday that the hacker had intended to receive.
I would like to propose a better way for some intelligent security analyst to make off with large payday while building a solid reputation within the community and helping the platform evolve. The model is not new but is definitely applicable to Steemit and the Steemit community is well placed to reward the actor that take advantage of it.
Responsible disclosure of information and rewarding the analyst
Responsible disclosure
Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details.
The basis of the model described above is that if you happen to find a security vulnerability, you disclose this information privately to the founders (@Dan and @Ned - best method is via PM on Steemit.chat) and work with them to ensure a fix can be put in place and the issue is resolved in a timely manner.
This action will ensure that the vulnerability does not go unnoticed and that countermeasure can be put in place to protect the the platform and it's community.
This model allows time for development to develop and implement a fix before the knowledge is made public and can be abused by another party.. The model also puts in safeguards in that once the non disclosure period has elapsed the security analyst if free to share his findings with the community. This can be particularly important if the development team does not deem this issue a big enough threat to resolve or the resolution of the issue is so large it is deemed unsolvable. This disclosure after the period has elapsed is to protect the community and allow them to alter their behaviour as to protect themselves from the potential security issue.
Rewarding the Discovery and Acknowledgement of Good Faith
As a security analyst that has discovered a vulnerability which you have not abused and disclosed it to the development team to improve the platform; the community is in your debt!. Your action of good faith have protected thousand or potential victims from being exploited and for that you will be rewarded.
The reward for such a post explaining the situation and the potential danger that has now been mitigated would come with hundreds of up-vote and would bolster your reputation and good standing within a very grateful community.
EXAMPLE Responsible Disclosure policy - Not Official - Informational purposes only!
The choice is yours..
Villain
You may choose the path of the villain, the discovery of an issue that could derive a large profit is surely a tempting but the reality of it is you will be hurting a lot of people by your actions; you may not end up keeping your illegitimate gains and you may even be discovered and see your day in court.
Alternatively,
Hero
You could choose the path of the Hero, you will be able to sleep well at night knowing your actions have had a positive impact on many who will be very grateful and your good standing in the community will treat you well long into the future. The support of the community going forward may dwarf the potential gains that you may have had implicating yourself in a dark and lonely path.
To my knowledge Steemit does not offer an official bug bounty program as yet; but Steemit is also different from every other platform; in that the users of Steemit have the ability to reward such nobel actions and in a sense fund their own bug bounty program