After making a couple of suggestions regarding creating a bug bounty program here: 1Hive Contract Bug Bounty Program it seems there is consensus in setting up a bug bounty swarm. I will set up a DAO to which we will send some HNY which can be used for bug bounty rewards. This swarm will initially be made up of technically focussed Seed group members who will be the direct point of contact for any reported bugs.
The members of the DAO, each with equal voting weight to pay out bounties and manage the DAO will be, me, @fabriv, @rperez89, @lkngtn, @onbjerg and @sem. These individuals have worked together for a little over a year and can trust each other to handle any found exploits between them reliably. If there are other members of the community that are interested in being part of this swarm, please share.
Considering the poll results from the previous post I propose a max bounty of 40k USD paid out in HNY. If there are objections please share below and we can discuss. If 40k will be the max bounty I propose depositing twice this amount into the bug bounty DAO to account for price changes and multiple bugs occurring, so whatever 80k in HNY is at the time we make the proposal. We can move funds back should HNY appreciate significantly in the future and move more to the DAO should HNY depreciate or be spent.
The final Bug Bounty Spec is below, any objections or suggestions please share.
1Hive Contract Bug Bounty Program
This program covers all currently deployed 1hive related smart contracts on the xDai network that are actively being used from the 1hive github organisation: https://github.com/1Hive/. Contracts that 1hive uses that are not built by 1hive community members may also be considered depending on the extent to which they have been used within the 1hive ecosystem and the consequences they could produce. This evaluation will be at the discretion of the bug bounty swarm members using the CVSS Risk Rating scale https://www.first.org/cvss/calculator/3.0. The members include:
@willjgriff @fabriv @rperez89 @lkngtn @onbjerg @sem
An Aragon DAO holding the rewards available is found here: [dao link]. Each of the above members have equal voting weight within the bug bounty DAO to distribute rewards.
Requirements
- Disclosure of issues must be made directly to one of the bug bounty swarm members. DM’s via discord is fine.
- Any evidence of disclosure to other parties will forfeit the reward.
- Exploiting the vulnerability prior to disclosing it will forfeit the reward.
- Disclosure should include details of how to reproduce the bug in as clear a way as possible. A more detailed report could increase the reward.
- Reporting a bug that has already been reported will not earn a reward.
- Front-end bugs will not earn a reward.
Rewards
The severity of an issue will be determined by a score created using the CVSS Risk Rating scale https://www.first.org/cvss/calculator/3.0. It will likely also involve some subjective understanding of the potential impact it could make on the 1hive ecosystem.
Critical (9.0-10.0): Up to $40,000 in HNY
High (7.0-8.9): Up to $10,000 in HNY
Medium (4.0-6.9): Up to $2,000 in HNY
Low (0.1-3.9): Up to $1,000 in HNY
For reference, I would have scored the exploit detailed here Story of a Bee - Why Farming was Delayed with 9.3 earning it up to $40,000 in HNY, the exact amount would likely need to be discussed but I would have proposed it be closer to the upper limit. The scoring I have chosen can be seen here: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L
It should be known that 1hive is interested in maintaining secure infrastructure and is willing to make fair payouts for finding bugs that could affect funds and users. These requirements and rates have been discussed and agreed upon by the community here 1Hive Contract Bug Bounty Program and here Final 1Hive Contract Bug Bounty Program Proposal so as a bug hunter you can be assured when it comes to claiming a reward you will receive it, provided you act as outlined above.
Post Fix
Once the issue has been addressed and a fix rolled out, a write-up of the issue will be made for the community to see, and the payout will be made from the bug bounty DAO.