Thanks @william for the interest of having a bug bounty program on our platform! In addition to incentivizing white hat hackers to look through the code, having a strong bug bounty program also disincentivizes black hat hackers from exploiting the bug and instead disclosing it, especially since there are many issues with laundering stolen funds while money received from a bug bounty program can be used freely. Here’s some information for greater transparency about us:
Though we’re new and only launched in December, we’ve been growing our community of white hat hackers quite strongly since then. In the past few weeks, our community has helped with uncovering a catastrophic vulnerability on Primitive Finance as well as another on ArmorFi (It seems that I can’t attach more links unfortunately, so please look up “CoinDesk ArmorFi” if you want to read about it).
For our bug bounty platform, we provide all advisory needed to create a bug bounty program, offering our expertise with setting one up in order to achieve the desired goals while keeping in mind the budget of the project. This is not a one-time thing however, and we provide ongoing support as the program remains on our site and making adjustments as necessary as the project grows. Having IDLE as the payment token is also not a problem at all, though we encourage having a stablecoin like IdleDAI as a payment option as well, especially for the lower-tier bugs.
All bug bounty programs on our site use our vulnerability classification system, which we feel would be best since it was written with smart contracts and blockchain in mind, thus also separating web/app severity levels. More information can be found here - Immunefi
We also provide promotion of the program to our community via our newsletter, Discord, and Twitter account, as well as promote it to the greater cybersecurity community where we can and where appropriate.
As a separate service, we can also provide bug report triaging and management so that the Idle team would only deal with validated bug reports and not have to spend time interacting with the bug reporters.
We have no onboarding or maintenance fees for the bug bounty program. We also do not require any deposits. The only fee we charge for the program is a 10% fee on top of the amounts paid out to the bug bounty hunters after a report is accepted by the Idle team. The reason why we have it this way is because we want our bug bounty hunters to get the full displayed amount on our site.
As for the bug report triaging and management service, this is a separate premium service as it can be quite resource-intensive. It starts at USD 1000/month for the first ten bug reports of the month. However, spam/clearly out-of-scope bug reports like those reporting copyright issues, are not counted to this.
If there are any further questions or concerns by anyone from the Idle community, I would be more than happy to answer and address them.