Bug Bounty Set Up - Max payout size for critical vulnerabilities

Summary

Bug bounty programs incentivize developers to look through the code and fix vulnerabilities as soon as they are discovered, preserving users’ funds and protocol integrity. In the Forum post, many feedback and references drove the discussion to the proposed structure.

Immunefi is becoming a reference point in Defi space for bug discovery and its community has already helped uncover major bugs in some protocols. There are over $11 million in bounties available on the platform, with an average critical bounty size of $60k.

This poll aims to officialize the size of the max payout for critical vulnerabilities and the use of Immunefi platform to issue security grants.

Details

The proposed model uses 5 different payout levels, based on severity and likelihood.

Immunefi charges a 10% fee on top of the amounts paid out to the bug bounty hunters after a report is accepted by the Pilot League. No funds need to be deposited or locked in advance.

Bounty size	Unit of Payment	Issuing entity
Less than $1k	$USDC	Pilot League
Less than $10k	$USDC	Governance (FeeTreasury)
More than $10k	$10k in $USDC and the remaining in $IDLE	Governance (FeeTreasury + Ecosystem Fund)

This poll leaves decisional autonomy to the Pilot League regarding the payment of the premium services (USD 1000/month for bug report triaging and management service).

Voting Options

Please cast your vote on one of the following options to set the size of the max payout for critical vulnerabilities:

Vote “$250k”

Vote “$150k”

Vote “$50k”

Vote “Discuss more options”, if you do not agree with the listed options or side specs.

Vote “Against Bug Bounty launch”, if you do not agree with this initiative.

Snapshot is an off-chain solution to cast a vote by signature, no gas spent.