Increase bug bounty bounds and make bounties more discreet

Increase bug bounty program

Lido’s a very mission-critical project and is a very lucrative target. The realities of the bug bounty market for DeFi these days also set the bar for critical vulnerabilities bounties quite high. It’s time to increase Lido’s bug bounty to a reasonably big level.

I propose granting LEGO the power to select critical targets and vulnerability types and raise a bounty for them up to $2m depending on potential impact.

Make bug bounty payment more discrete

One more change is needed to be done for LEGO processes: currently, all payments of boulder and larger size need to be posted on research.lido.fi with details; that is not a great process when it’s a payment for a (yet or ever) unmitigated vulnerability in smart contracts.

I propose an amendment to LEGO rules that would allow bug bounty payments to go before specifying the exact reason of payment, at the condition that the reason will be disclosed within 90 days.

More details and discussion available at https://research.lido.fi/t/expand-and-increase-bug-bounty-program/957