KIP-2 KlimaDAO Bug Bounty

Summary

This proposal authorizes KlimaDAO to offer a bug-bounty for disclosed bugs, exploits, and vulnerabilities which meet the later specified criteria. The rewards for this bounty will include a "Proof of Whitehat" NFT reward and a cash bonus paid in KLIMA for whitehats that identify bugs that could lead to a loss of funds from the Protocol's Treasury and Bonding contracts. The DAO will fund the reward using KLIMA from DAO funds. This KIP is for the first bug bounty programme from KlimaDAO to incentivise early action in this regard and minimize risk for the protocol.

Motivation

KlimaDAO must ensure that it is safe and secure. Incentivising whitehats to search for bugs and exploits through rewards is one proactive strategy to identify and rectify weaknesses in the protocol. Ultimately, an effective bug bounty programme can save the protocol time and money and ensure it is resilient to enable long-term growth.

Proposal

The bug bounty paid out will be equivalent to 50% of the funds which could have been stolen from an exploit, up to a maximum cash value of $2,500,000.

The bug bounty will only be paid out for submissions that satisfy the eligibility criteria, outlined below.

Source of Funds for Bug Bounty

If approved, the protocol will ring-fence 10% of DAO funds for the bug bounty programme. If additional funds are required, they will be sourced from the DAO’s general funds.

This approach gives the DAO an immediate budget to compensate whitehats. It also builds up an additional budget that may be allocated for further security incentives in the future as the protocol grows.

Process

Bug bounties should be emailed to bounty@klimadao.finance Klimadmins/Core members will evaluate the threat immediately and prioritise taking action to minimise the risk of the exploit.

The evaluation will be used to validate the proportion of the funds at risk from the exploit, and determine the total bug bounty payout. To be eligible for the bounty, whitehats must satisfy the eligibility criteria, below.

Eligibility

To qualify under the rewards programme, whitehats must: Be the first to report a specific vulnerability.

Send a clear textual description of the report along with steps to reproduce the vulnerability. Attachments such as screenshots or proof of concept code should be included as necessary.

Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties - including vulnerability brokers - before we addressed your report forfeit the reward.

Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.

Not submit vulnerabilities based on information they were not able to garner for themselves. For example an exploit which “would work if a hacker could compromise an admin key” will not be considered.

Other Details

Any details which are not explicitly outlined in this post, but which must be decided upon in order to execute the Bug Bounty program (including but not limited to who is commissioned to create the NFT, etc.) shall be decided by the Core member managing the bug bounty.