Setup formal Bug Bounty program

After yet another hack, I think that it’s time for Idle to setup a formal bug bounty program, in order to safely incentivize responsible disclosure of bugs and exploits.

One of the most used bug bounty platform right now in Defi seems to be https://immunefi.com/ so
I propose to set up a bounty there, in IDLE if possibile.

The various reward levels are for sure debatable, but top rewards should heavily incentivize the disclosure given that the current TVL is above 120M$, so something like 10000 IDLE or even more could be a good bounty imo.

The idea is to create a Snapshot poll in a couple of days to decide if a bug bounty should be setup and what would be the amount for top reward.

Some references for rewards levels:

11 Likes

Nice to see this brought up on the forum, a bug bounty is a key incentive to finding security flaws before they become an exploit. What I would like to see however is a clear classification system for how to value different vulnerabilities, and what criteria would be required for different levels of payout.

Perhaps a ranking of severity matched with some minimum criteria for each and the associated payout.

Making this very clear upfront give white-hat hackers a guarantee of payout with as little dispute as possible. Incentivising thorough investigation of the contracts.

7 Likes

The reference links (eg the one for Aave and Curve) shows the OWASP model that they use

this is what we should have and we can basically copy one of them

3 Likes

Hi everyone,

Thanks @william for the interest of having a bug bounty program on our platform! In addition to incentivizing white hat hackers to look through the code, having a strong bug bounty program also disincentivizes black hat hackers from exploiting the bug and instead disclosing it, especially since there are many issues with laundering stolen funds while money received from a bug bounty program can be used freely. Here’s some information for greater transparency about us:

Community Strength

Though we’re new and only launched in December, we’ve been growing our community of white hat hackers quite strongly since then. In the past few weeks, our community has helped with uncovering a catastrophic vulnerability on Primitive Finance as well as another on ArmorFi (It seems that I can’t attach more links unfortunately, so please look up “CoinDesk ArmorFi” if you want to read about it).

Services

For our bug bounty platform, we provide all advisory needed to create a bug bounty program, offering our expertise with setting one up in order to achieve the desired goals while keeping in mind the budget of the project. This is not a one-time thing however, and we provide ongoing support as the program remains on our site and making adjustments as necessary as the project grows. Having IDLE as the payment token is also not a problem at all, though we encourage having a stablecoin like IdleDAI as a payment option as well, especially for the lower-tier bugs.

All bug bounty programs on our site use our vulnerability classification system, which we feel would be best since it was written with smart contracts and blockchain in mind, thus also separating web/app severity levels. More information can be found here - Immunefi

We also provide promotion of the program to our community via our newsletter, Discord, and Twitter account, as well as promote it to the greater cybersecurity community where we can and where appropriate.

As a separate service, we can also provide bug report triaging and management so that the Idle team would only deal with validated bug reports and not have to spend time interacting with the bug reporters.

Cost Structure

We have no onboarding or maintenance fees for the bug bounty program. We also do not require any deposits. The only fee we charge for the program is a 10% fee on top of the amounts paid out to the bug bounty hunters after a report is accepted by the Idle team. The reason why we have it this way is because we want our bug bounty hunters to get the full displayed amount on our site.

As for the bug report triaging and management service, this is a separate premium service as it can be quite resource-intensive. It starts at USD 1000/month for the first ten bug reports of the month. However, spam/clearly out-of-scope bug reports like those reporting copyright issues, are not counted to this.

If there are any further questions or concerns by anyone from the Idle community, I would be more than happy to answer and address them. :grinning:

6 Likes

Hi @TravinImmunefi nice to have you here and thanks for all the informations.

I think it makes sense, currently the treasury does not hold idleTokens but we can add them along the way

The system seems good and in line with community standards, I think we can use it for the smart contract side

That’s a nice plus that can help with bug discoveries

The service may be interesting, but what if no bug is discovered during a month? Is the whole payment due?

3 Likes

Happy to be here :slight_smile:

Sure, we can modify this as needed moving forward.

Glad you think so!

Glad you see the value in it. If this moves forward, I’ll set up a group with my colleague who would be handling the promotion in order to have it in line from Idle’s side as well.

This cost structure is largely experimental at this stage, and though there are some fixed costs associated with onboarding and keeping a client, we can have it during this stage that if there are no bug reports in a given month, the fee is not charged for that month. Overall we’ll have to work this out once other details of the program are finalized too, such as the critical bug payout amount, but we’ll certainly be happy to talk to get this to work for the Idle team.

2 Likes

This seems fair.

I think the next steps for Idle community for this is to discuss and finalize payout levels and formalize the decision through a snapshot poll.

Given the suggestion of using 5 different payout levels I think we can use the Aave bug bounty payout structure (which separates likelihood and severity)


and decide the max payout for critical vulnerabilities.
We can probably payout bounties up to 5k-10k $ in stablecoins and higher bounties in IDLE.

Waiting for community comments now :slight_smile:

4 Likes

Sure, we can combine the Likelihood part with our Severity system and have that to determine the final payout amount.

4 Likes