AIP-155: Should we fund an ongoing bug bounty program for all AIP’s that introduce security risk?

ABSTRACT

AIP-134 recently requested budget to support the set up of a bug bounty program for the staking system. This proposal suggests we expand the budget and timeline + build a process that supports all future AIPs who’s ongoing operation poses risk to ApeCoin community members. We propose using treasury assets to fund a 1 million $APE bug bounty program with Immunefi, and partner with Solidity.io to help design and implement the program + onboard new AIPs as they launch.

This proposal would unlock the first $20,000 $APE immediately to fund Solidity.io costs for program set up, and the rest made available at program launch to fund white hat hackers until depleted. At this point the community can draft a second proposal to continue funding.

We believe it is very beneficial for the DAO to approve this program since the absence of this infrastructure and process leaves the DAO with only two options:

1. Every new AIP must create a second AIP to request additional bug bounty funding which poorly allocates hacker rewards at scale.
2. Accept the security risk.

OVERALL COST

A total budget of 1 million $APE (roughly $4.5 million based on 30-day average $APE price).

Operational costs are minimal, and the majority of the budget will be used to fund prizes for the program.

The program will end if the community creates a proposal asking to cease and unused funds would be returned.

The funds requested will be allocated as following:

Bug bounty rewards can be tiered based on the severity of the exploit, or can be based on % of value at risk. Solidity.io and Immunefi will structure the program within the 1 million $APE budget being requested. All budget not listed below will go directly to white hat hackers.

1. 20,000 $APE (~$60,000) paid to Solidity.io upfront, for operating the ongoing program on behalf of the DAO.
2. 20,000 $APE annually for each year the program runs with the first year paid 6-months following launch and every 12-months after.
3. 10% performance fee paid to Immunefi on any vulnerabilities discovered (i.e. if a white hat hacker is paid $100,000 for a bug they discovered, Immunefi will receive $10,000)

PROPOSAL

Link to the full proposal: https://forum.apecoin.com/t/aip-155-should-we-fund-an-ongoing-bug-bounty-program-for-all-aip-s-that-introduce-security-risk/9278

The AIP implementation is administered by the Ape Foundation. Implementation may be immaterially or materially altered to optimise for security, usability, to protect APE holders, and otherwise to effect the intent of the AIP. Any material deviations from an AIP, as initially approved, will be disclosed to the APE holder community.