I'm working on a new marketplace that will hopefully bring back some of the security and quality that many of you may remember from the golden days of SR 1.0. If you have any suggestions related to any aspect of the site's development, please let me know and I will consider them while developing the site.
Current ideas:
Up to three authentication factors - password (default), PGP signed message (already in SR 2.0 and possibly other markets), Bitcoin signed message (not yet implemented in any marketplace as far as I know). Only passwords will be required (obviously) but the other two options will be available to those who want it.
Manual withdrawls instead of automated ones to prevent hackers from gaming the site and stealing coins. All private keys will be kept off-site so none can be stolen in the event of the server being hacked.
To withdraw coins, users must sign the current UTC time within 30 minutes of placing the withdrawl order and submit that with their withdrawl order. Example here. Alternatively, I could implement a system where a random string of letters and numbers must be signed by the user to place the withdrawl order. Please tell me what you guys would prefer.
FORCED PGP encryption of all messages sent on the site's PM system. Security hurts sometimes but I'd rather have 100 people not use the site than have 1 person get arrested because they were too stupid to encrypt their address and something happened to the site.
A bug bounty system that will be put in place permanently. A percentage of the site's total earnings will be distributed as the bug bounty. I'm thinking 10% for any bug that could affect user or site security and maybe 1 or 2 percent for a valid bug that, while real, is not dangerous. While the market is still in its infant stages the bounty will probably be something like 0.15 bitcoins until 10% of the site's earnings become a larger number than 0.15 bitcoins.
Multiple cryptocurrencies accepted, with vendors choosing which they would like to accept manually. At this point I'm thinking of accepting Bitcoins, Litecoins, and Dogecoins. Suggestions for other coins are welcome too.
A custom login message to ensure that you know you're not on a scam website. (I know Agora uses this method already)
Questions I would like the community to answer so I know what people want to see on the site:
How do you feel about weapons being sold on the site? If weapons are sold on the site, should it be fair game for any weaponry or should it only be weapons that are viable for self defense? (E.g. no bombs, no poison, etc)
Should I allow the sale of items related to identity theft? E.g. credit cards, PayPal accounts, etc.
All the DNM hacks that I recall: BMR, SR, Sheep, etc. were caused by sql injection and other bugs. It is difficult to have a fully featured online marketplace with large financial transactions and implement it in a way that would make it 100%. You are always going to miss something, and someone is always going to find that something.
That is a great list of features but it doesn't really address that. Some markets already have cold storage for escrow, but if someone breaks into a site or hijacks a users session - how will you differentiate between that hacked request and a legitimate withdrawal request?
I'd suggest that you may want to put some money up for the bounty. There really isn't much incentive for hackers to give you a free security audit when they are working for 10% of your revenue which for the first month would be close to 0
IMO there are already too many marketplaces, and based on the last few marketplace launches I don't think anybody is going to trust a site for security no matter what they say until they have survived at least a few months with no incidents.