Bug Bounty Program

The security of our funds is important. Incentivizing white-hat hackers to review our system for vulnerabilities is one way we can contribute to our security. Obviously, we do this by offering them rewards specifically put aside for such discoveries.

If a pool of funds did not exist for this, security experts who discover a vulnerability might use the vulnerability for their own reward: instead of reporting it and receiving nothing in return.

We should put aside some portion of the treasury’s income towards these bug discoveries, in the form of MIM.
The reward should be based on the severity of the vulnerability and what funds it provides access to.
Perhaps we could do a max of $1,000,000 for really severe exploits that allow access to funds.
and $250,000 max for other exploits that don’t affect funds.

Additionally, we should commemorate and serve recommendation letters to individuals who have discovered vulnerabilities in TIME through our Bug Bounty Program.

Feel free to comment below your suggestions and comments :slight_smile:
Perhaps a name for it?


100% on board with this. We should get an audit too.


I completely agree. This would create more confidence on the protocol. Besides, It’s always a good idea to support White Hat hackers. We all owe a lot to them.


Yes, yes and yes. There is no use in being in the crypto space, build wealth only to see it go into the pockets of the most despicable and despised humans on the planet.

My understanding is that the OHM protocol was audited which would equate to Wonderland being indirectly audited. I also heard Wonderland is working on it’s own audit. Can anyone confirm that.

White hat funding is very important in this space.


Not sure about the amounts payed out for vulnerability found, but totally agree in getting a bounty program for the project.

For reference, the usual max payout for issues such as RCE (Remote Code Execution, the worst of the issues in a classical site) is around $20.000.

Of course the amount of money being handled around a DeFi project is much different than a usual site. Numbers ranging from $20.000 to $200.000 sound more appropiate I think. That’s what I’ve seen in other DeFi bounty programs I’ve seen around.


100% agree with this proposal, the quantities might be too much but love the idea


I’ve already seen youtubers come out and say their Time has been hacked.

In my opinion, this should be a top priority to mitigate FUD and keep investors safe.

1 Like

Great idea, important and could be implemented relatively quickly.

1 Like

This is crucial, we need to implement asap something like this.
@Handerllon Totally agree with you, for me the payout should be in the range of 30.000 MIM to 350.000 MIM like other bug bounty programs (microsoft, google ecc.)


1 Like

100% Agree. With so many hacks happening, this should be a priority. It should always be a priority.

1 Like

they’ve been “hacked” because of their own bad security protocols…nothing related to WL or it’s code


Already started: Wonderland – Paladin Blockchain Security

Considering that this is crypto, I would propose that the bounty should be tiered based on severity.

If it’s a “empty the treasury” kind of vulnerability, I would argue that we should have a percent of the treasury as the reward (pending a community Snapshot vote to award the bounty). Otherwise, I think 30.000 MIM - 350.000 MIM is reasonable so long as it’s scaled based on severity.

I propose $100K minimum and $5M for big exploits to encourage good programmers. Paying well encourages and retains the top developers and this is a strategy used in big tech FANG.

@Patchy319 How do you propose bug submissions?
Perhaps encouragement to develop defi apps with wonderland with big payouts?

Has anyone got an idea how this it done on Popsicle?

Bug Bounty Program RFC has been submitted and is currently pending mod approval.

1 Like

Listen i agree with this stuff bte the amount your sugesting is insane and will atract bad people very fast we want the withe hats yes bte if we do this all the bug bounty comunity will start talking about this is good in a way bte to much attention will lead to bad stuff especialy wen it commes to bug bountys and hackers its just a point of view

note : i just got bited by a spider for some reason will tryping this if i die well shit its to bad i gues any ways sorry for my bad english

i dont get it allot bte i suggest we get our own team of hackers To do this stuff and they must be knowen because if they found a sever bug its the crypto world who told you there not going to take it all

Great idea, Sounds like a cheap way to stay secure rather then loosing everything.