The security of our funds is important. Incentivizing white-hat hackers to review our system for vulnerabilities is one way we can contribute to our security. Obviously, we do this by offering them rewards specifically put aside for such discoveries.
If a pool of funds did not exist for this, security experts who discover a vulnerability might use the vulnerability for their own reward: instead of reporting it and receiving nothing in return.
We should put aside some portion of the treasury’s income towards these bug discoveries, in the form of MIM.
The reward should be based on the severity of the vulnerability and what funds it provides access to.
Perhaps we could do a max of $1,000,000 for really severe exploits that allow access to funds.
and $250,000 max for other exploits that don’t affect funds.
Additionally, we should commemorate and serve recommendation letters to individuals who have discovered vulnerabilities in TIME through our Bug Bounty Program.
Feel free to comment below your suggestions and comments
Perhaps a name for it?
Not sure about the amounts payed out for vulnerability found, but totally agree in getting a bounty program for the project.
For reference, the usual max payout for issues such as RCE (Remote Code Execution, the worst of the issues in a classical site) is around $20.000.
Of course the amount of money being handled around a DeFi project is much different than a usual site. Numbers ranging from $20.000 to $200.000 sound more appropiate I think. That’s what I’ve seen in other DeFi bounty programs I’ve seen around.
This is crucial, we need to implement asap something like this. @Handerllon Totally agree with you, for me the payout should be in the range of 30.000 MIM to 350.000 MIM like other bug bounty programs (microsoft, google ecc.)
Considering that this is crypto, I would propose that the bounty should be tiered based on severity.
If it’s a “empty the treasury” kind of vulnerability, I would argue that we should have a percent of the treasury as the reward (pending a community Snapshot vote to award the bounty). Otherwise, I think 30.000 MIM - 350.000 MIM is reasonable so long as it’s scaled based on severity.
Listen i agree with this stuff bte the amount your sugesting is insane and will atract bad people very fast we want the withe hats yes bte if we do this all the bug bounty comunity will start talking about this is good in a way bte to much attention will lead to bad stuff especialy wen it commes to bug bountys and hackers its just a point of view
note : i just got bited by a spider for some reason will tryping this if i die well shit its to bad i gues any ways sorry for my bad english
i dont get it allot bte i suggest we get our own team of hackers To do this stuff and they must be knowen because if they found a sever bug its the crypto world who told you there not going to take it all