[BIP-687] Transition of Bug Bounty Program Responsibility to Balancer DAO

Introduction: Since the launch of Balancer v1 in 2020, Balancer Labs has been managing and financing the bug bounty program for the Balancer DAO. With the introduction of Balancer v2, the bounties were significantly increased, further cementing Balancer's commitment to the protocol's security. Balancer Labs develops open-source software for the benefit of the Balancer protocol and has never charged the DAO for this work. All fees generated by the Balancer protocol are directed to the DAO; nothing goes to Balancer Labs.

This proposal suggests transitioning the responsibility for the bug bounty program from Balancer Labs to the Balancer DAO as a first step towards making the DAO and the Balancer ecosystem more independent from Balancer Labs.

Current Situation:

• The bug bounty program, hosted on Immunefi, offers up to $1,000,000 for critical vulnerabilities, with rewards based on impact according to the Immunefi Vulnerability Severity Classification System.
• Balancer Labs has funded and managed the bug bounty program for the Balancer DAO since its inception.
• Balancer Labs currently operates without income streams.

Proposal: Starting now, the responsibility for financing the bug bounty program should transition from Balancer Labs to the Balancer DAO. Today a committee composed of Balancer Labsand Beets DAO is responsible for receiving and analyzing bug reports submitted. We propose that Hypernative joins this committee to assist on bug report analysis going forward.

In summary, if this proposal is approved, Balancer DAO will make the payments for any bug bounties awarded by the committee mentioned above. This change aligns with industry standards and ensures the bug bounty program's sustainability.

Rationale:

1. Financial Sustainability: Shifting the cost to the DAO distributes the financial burden among its stakeholders.
2. DAO Governance: The DAO will control program parameters and budget, aligning with its decentralized governance model. It's in line with the decentralized governance model for the DAO to take ownership of critical initiatives like the bug bounty program.
3. Protocol Maturity: As Balancer's protocol matures, it's suitable for the DAO to operate its bug bounty program.
4. Industry Standards: This move is consistent with how other DeFi protocols manage their bug bounties.

Implementation Plan:

1. Communication: Clearly communicate the transition plan to the Balancer community and stakeholders.
2. Voting: Hold a forum discussion and a vote within the Balancer DAO community on this proposal.
3. Budget Allocation: The DAO should earmark 1,000,000 USDC (currently the highest bounty offered in the program) from the DAO treasury. If smaller bounties are paid, the DAO should top up this earmarked budget so it always has 1,000,000 USDC available. This amount can potentially change if the highest bounty is changed.
4. Bug Bounty Guidelines: Keep the same guidelines used today or define clear procedures for bug submission, evaluation, and rewards, making them accessible to all community members.
5. Bug Bounty Platform: It's suggested that Balancer DAO maintains the current Immunefi partnership, but another platform could be used to streamline the bug bounty process if decided by the committee.

Conclusion: Transitioning the bug bounty program to the Balancer DAO is a significant step towards decentralization of Balancer DAO. This change will ensure the program's sustainability and encourage greater community involvement in securing the Balancer protocol.

For more details on the current bug bounty program, visit Immunefi's Balancer Bug Bounty page.

Technical specification: 1,000,000 USDC will be earmarked by funds from the karpatkey managed safe at 0x0EFcCBb9E2C09Ea29551879bd9Da32362b32fc89. BLabs or the Balancer DAO can request funds for usage of the bounty program and karpatkey ensures transfer of these funds within 48 hours upon request.