Setup formal Bug Bounty program

After yet another hack, I think that it’s time for Idle to setup a formal bug bounty program, in order to safely incentivize responsible disclosure of bugs and exploits.

One of the most used bug bounty platform right now in Defi seems to be https://immunefi.com/ so
I propose to set up a bounty there, in IDLE if possibile.

The various reward levels are for sure debatable, but top rewards should heavily incentivize the disclosure given that the current TVL is above 120M$, so something like 10000 IDLE or even more could be a good bounty imo.

The idea is to create a Snapshot poll in a couple of days to decide if a bug bounty should be setup and what would be the amount for top reward.

Some references for rewards levels:

• Aave – Open Source DeFi Protocol | Bug Bounty
• Curve.fi
• Badger Badger DAO Bug Bounties | Immunefi
• Harvest Harvest Finance Bug Bounties | Immunefi

Nice to see this brought up on the forum, a bug bounty is a key incentive to finding security flaws before they become an exploit. What I would like to see however is a clear classification system for how to value different vulnerabilities, and what criteria would be required for different levels of payout.

Perhaps a ranking of severity matched with some minimum criteria for each and the associated payout.

Making this very clear upfront give white-hat hackers a guarantee of payout with as little dispute as possible. Incentivising thorough investigation of the contracts.

The reference links (eg the one for Aave and Curve) shows the OWASP model that they use

Screenshot from 2021-02-22 16-33-231226×526 78.2 KB

Hi everyone,

Thanks @william for the interest of having a bug bounty program on our platform! In addition to incentivizing white hat hackers to look through the code, having a strong bug bounty program also disincentivizes black hat hackers from exploiting the bug and instead disclosing it, especially since there are many issues with laundering stolen funds while money received from a bug bounty program can be used freely. Here’s some information for greater transparency about us:

Community Strength

Though we’re new and only launched in December, we’ve been growing our community of white hat hackers quite strongly since then. In the past few weeks, our community has helped with uncovering a catastrophic vulnerability on Primitive Finance as well as another on ArmorFi (It seems that I can’t attach more links unfortunately, so please look up “CoinDesk ArmorFi” if you want to read about it).

Services

For our bug bounty platform, we provide all advisory needed to create a bug bounty program, offering our expertise with setting one up in order to achieve the desired goals while keeping in mind the budget of the project. This is not a one-time thing however, and we provide ongoing support as the program remains on our site and making adjustments as necessary as the project grows. Having IDLE as the payment token is also not a problem at all, though we encourage having a stablecoin like IdleDAI as a payment option as well, especially for the lower-tier bugs.

All bug bounty programs on our site use our vulnerability classification system, which we feel would be best since it was written with smart contracts and blockchain in mind, thus also separating web/app severity levels. More information can be found here - Immunefi

We also provide promotion of the program to our community via our newsletter, Discord, and Twitter account, as well as promote it to the greater cybersecurity community where we can and where appropriate.

As a separate service, we can also provide bug report triaging and management so that the Idle team would only deal with validated bug reports and not have to spend time interacting with the bug reporters.

Cost Structure

We have no onboarding or maintenance fees for the bug bounty program. We also do not require any deposits. The only fee we charge for the program is a 10% fee on top of the amounts paid out to the bug bounty hunters after a report is accepted by the Idle team. The reason why we have it this way is because we want our bug bounty hunters to get the full displayed amount on our site.

As for the bug report triaging and management service, this is a separate premium service as it can be quite resource-intensive. It starts at USD 1000/month for the first ten bug reports of the month. However, spam/clearly out-of-scope bug reports like those reporting copyright issues, are not counted to this.

If there are any further questions or concerns by anyone from the Idle community, I would be more than happy to answer and address them.

Hi @TravinImmunefi nice to have you here and thanks for all the informations.

I think it makes sense, currently the treasury does not hold idleTokens but we can add them along the way

The system seems good and in line with community standards, I think we can use it for the smart contract side

That’s a nice plus that can help with bug discoveries

The service may be interesting, but what if no bug is discovered during a month? Is the whole payment due?

Happy to be here

Sure, we can modify this as needed moving forward.

Glad you think so!

Glad you see the value in it. If this moves forward, I’ll set up a group with my colleague who would be handling the promotion in order to have it in line from Idle’s side as well.

This cost structure is largely experimental at this stage, and though there are some fixed costs associated with onboarding and keeping a client, we can have it during this stage that if there are no bug reports in a given month, the fee is not charged for that month. Overall we’ll have to work this out once other details of the program are finalized too, such as the critical bug payout amount, but we’ll certainly be happy to talk to get this to work for the Idle team.

This seems fair.

I think the next steps for Idle community for this is to discuss and finalize payout levels and formalize the decision through a snapshot poll.

Given the suggestion of using 5 different payout levels I think we can use the Aave bug bounty payout structure (which separates likelihood and severity)

Screenshot from 2021-02-25 10-28-131262×950 97.2 KB

Waiting for community comments now

Sure, we can combine the Likelihood part with our Severity system and have that to determine the final payout amount.

I think that this a good payout structure to start.

I suggest to opt for Immunefi becase has one of the best visibility in terms of bug bounty seekers. Last not least, from direct experience, it has a good team and processes for event management.

It’s also a good moment to start because of the upcoming new features launch (Aave v2 and Compound ETH).

Shall we proceed with a community poll?

I think the missing piece is deciding what should be the highest payout possibile for Critical vulnerabilities so to have various choices for the snapshot. For Aave and Curve it’s 250k $ (without vesting to my knowledge).

We could do something like 10k IDLE right away and 10k after like 3 months vesting so a total of 20k IDLE, how does it sound? @TravinImmunefi are vested rewards common for high tier bounties?
For bounties up to 10k$ we can pay them in stablecoins (or half stable and half IDLE) while for higher level bounties payment should be done in IDLE

These are good ideas

I do not suggest vesting for bug bounties related to your protocol, I would suggest it if you want to sponsor other ones or for other kind of initiatives (e.g. new features)

I will leave open and up to the recipient to decide if get it in Idle tokens or a dollar equivalent.

Choosing only one of them could discourage the bounty hunter.

The overall idea is simple, incentivate to act good, any limiting factor could disincentivate

I think the missing piece is deciding what should be the highest payout possibile for Critical vulnerabilities so to have various choices for the snapshot. For Aave and Curve it’s 250k $ (without vesting to my knowledge).

$250k is a solid starting point to get higher tier bug bounty hunters to look through the code.

However, if you want good PR for it, on top of really attracting the best of the best and really incentivizing blackhats to disclose instead of exploit, a payout of something $1m or higher tends to get decent media attention, though with some PR work as well of course, which we could definitely help you with. One of our clients that we recently onboarded just got featured on CoinDesk for this. Though that amount seems quite high, it can be restricted significantly, though still within reason, by placing a cap of 10% of the funds at risk for the payout. So if $500k worth of funds are affected, then $50k is the payout. This is quite reasonable as a critical-level bug that only affects $500k worth of funds doesn’t need to be compensated with $1m.

We could do something like 10k IDLE right away and 10k after like 3 months vesting so a total of 20k IDLE, how does it sound? @TravinImmunefi are vested rewards common for high tier bounties?

They’re not really common. Only two of the 7 projects on our site with max payouts of over $100k have them, and it was because they were brand-new projects that were launching a bug bounty program in the very early stages of their token and project. In general having unvested payouts tend to attract bug bounty hunters more, so if it’s best to avoid it where possible.

For bounties up to 10k$ we can pay them in stablecoins (or half stable and half IDLE) while for higher level bounties payment should be done in IDLE

I will leave open and up to the recipient to decide if get it in Idle tokens or a dollar equivalent.
Choosing only one of them could discourage the bounty hunter.

Yes, giving them the option here would be good on what token they receive. We can add more options as well as you wish.

I suggest to opt for Immunefi becase has one of the best visibility in terms of bug bounty seekers. Last not least, from direct experience, it has a good team and processes for event management.

Thanks for the support @emilianobonassi!

There should not be any compromise on security.
It’s just fair to pay market prices for the best talent.
Wen snapshot @Salome

That’s something that would be great, but at the moment we have no real option given that the current treasury size would not be able to support this kind of payment. The best that we can do I think is to offer at least a small part of the bounty in stable (like 10-20%) and the rest in IDLE

The 10% cap makes sense but with a limit, eg the proposed 250k$, otherwise it would be effectively uncapped

A snapshot poll have been setup for the Bug Bounty on Immunefi : LINK

It will last for 3 days. Please cast your vote (off-chain voting does not cost gas)

The Temperature check clearly outlines what is the Governance decision, we can now move on and set up the program!

image517×647 16.1 KB

The program boundaries are:

• Max payout size for critical vulnerabilities set at $ 250k
• Immunefi is the platform to issue security grants
• Bounties under $ 10k paid in $USDC, and in $IDLE for greater amounts
• 5 different payout levels, based on severity and likelihood.

Now that there is a consensus on the next steps, it’s time to ping @TravinImmunefi to share some insights on the onboarding procedure

Wonderful! Thanks to everyone who voted for this. It’s really nice to see that there was a unanimous vote with regards to having a bug bounty program on Immunefi.

I’ll send over a questionnaire, pre-filled with some of the information provided here, to the development team in order for this to move forward.

Excited to have IDLE on Immunefi!