[GIP-16] Bug Bounty: 08.2022 Payout and process structuring

This proposal consists of three parts.

The first part authorizes a payout of an Immunefi bounty for a critical bug discovered on August 12.

Parts 2 and 3 aim to formalize and streamline the processes regarding oversight and payouts of bug bounties.

Part 1: August Bug Bounty Payout

On August 12.08.2022, all 4 Credit Managers were paused by the pause function - due to a reported bug on Immunefi. That happened quickly after developers confirmed the bug and tested the vulnerability. A week later the fix was made, tested, soft-audited & deployed. The protocol was thus unpaused. Post-mortem is to follow soon, see Discord for more info 1.

As per the program details set up previously, the payout is:

• $150,000 as CRITICAL ISSUE to the designated addresses confirmed by the whitehat: 0xEab01F3A309f680B08a28B9ED3aFF417ca0E4345
• 10% of that is Immunefi’s fee aka $15,000 to the designated addresses confirmed by the Immunefi team: immunefi.eth

As the DAO now controls the protocol & all its operations, this vote is to approve the payout of the bug bounty as confirmed by the protocol developers.

Part 2: Financial Multisig authorized to pay out bounties

The financial multisig would be allowed to release payments according to the bug bounty structure in cases when developers overseeing the bug bounty program confirm & fix the issues if presented. That is, to avoid redundant governance voting procedures.

Part 3: Bug Bounty Oversight Committee

A committee that has direct access to bug reports and coordinates appropriate responses would be formally established. Initial members (per Discord handles):

Threat assessment and solution development:

• Mikael
• Van0k
• apeir99n

Coordination with Immunefi and tech multisig:

• ivangbi