Every day a Web3 protocol pushes to GitHub a patch to a vulnerability or a new feature. DAF is a daily activity feed of bug fixes and code changes in GitHub repositories listed as assets in scope for bug bounty programs in Immunefi.
Website: https://infosec-us-team.github.io/daf/frontend-daf/src/
At the time of writing, there are 427 GitHub repositories with a bug bounty program in Immunefi.
Visit the website once a day to see what's new and discover security patches by searching for the words "fix" and "bug" in the title of pull requests and commit messages.
Every day a static website is created listing every bug bounty program that updated their (GitHub) code in the past 24 hours, with details like:
- Protocol name, avatar, and a link to the GitHub account
- The rewards ($) for every severity on the bug bounty program and a link to it
- Pull requests, including their title, date, and a link to the PR
- Every commit, including its title and a link to it
- The Developer of every commit, including its name, avatar, and a link to his GitHub user
DAF has a backend and a frontend.
The backend automates gathering GitHub repositories listed in Immunefi, extracting bounty information, scanning pull requests, and commits, and generating a static website (the frontend).
build.sh- It runs once a day.
- Fetches all protocols listed on Immunefi.
- Extracts GitHub repositories linked to these protocols.
- Retrieves bounty reward details and logos.
- Aggregates data into a JSON file (
all_protocols.json). - Starts the Processing Layer
-
scan-prs.py- Scans all pull requests and commits from the collected repositories.
- Aggregates data into a JSON file (
all_prs.json).
-
create-static-site.py- Generates a static website displaying pull requests, commits, and bug bounty reward info.
A static site using Tailwind CSS.
The static site should be viewed as a tool. Every element displayed to the user must contribute to the tool's objective.
Consequently, there won't be a prominent header welcoming visitors to the site or a navigation bar filled with links to external sites like social networks.
The very first thing users see should be precisely what they want to see.
- ibb - A CLI tool to find anything from Immunefi REST API with as few keystrokes as possible (by
infosec_us_team) - jq - JSON processor for command-line data manipulation
- Python 3.x environment
Clone the repository:
git clone https://github.com/infosec-us-team/daf.git
cd dafTo avoid hitting GitHub's API rate limit use a personal access token.
Create a .env file outside of the project folder (yes, outside... don't trust your ".gitignore" skills, better safe than sorry).
Your file structure should look like this:
.env
daf/
├─backend-daf/
├─frontend-daf/
├─readme-resources/
└─README.md
Add your personal access token to the .env file:
GITHUB_TOKEN=your_token_here
Build the site by running the build.sh script inside ./backend-daf/:
# First, cd into `./backend-daf/`
cd ./backend-daf/
# Now, build!
./build.shThis step is going to take up to 20 min. depending on the total amount of protocols with GitHub repos in Immunefi.
Finally, you should have a static site at ./frontend-daf/src/index.html
We like to run an http server so we can access the site with all devices in the local network.
# cd out of backend-daf and into frontend-daf
cd ../frontend-daf/src/
# run the http server
python3 -m http.server 8000
Open crontab:
crontab -eAdd a job:
0 1 * * * /path/to/build.shThis runs the tool daily at 1am.
There is no guarantee that the code in this repository will be maintained if Immunefi or GitHub change their APIs, nor that the static site at GitHub-Pages (https://infosec-us-team.github.io/daf/frontend-daf/src/) will continue to be updated daily.
We recommend cloning the code and running the tool on your own server.