• © Goverland Inc. 2026
  • v1.0.8
  • Privacy Policy
  • Terms of Use
DecentralandDecentralandby0x5E23D08324f017d5425e59A2782C9ae27aCE09580x5E23…0958

Set up a bounty program for vulnerability reports

Voting ended over 3 years agoSucceeded

by 0x87956abc4078a0cc3b89b419928b857b8af826ed (Nacho)

Bug bounty programs are open invitations to security researchers to discover and disclose potential vulnerabilities in projects’ smart contracts and applications, thereby protecting projects and their users. For their good work, security researchers receive a reward based on the severity of the vulnerability, as determined by the project affected.

Why have a bug bounty program at all? In 2020 alone, hacks and scams cost the Web3 community over $238m, and bug bounties can prevent those hacks from happening. Bug bounty programs surface vulnerabilities so they can be fixed before they get exploited in malicious hacks that destroy projects and ruin reputations.

As member of the Security Advisory Board (SAB), we hereby request the DAO to approve and fund the bounty program and due to its nature and limited execution capabilities, delegate to the Decentraland Foundation the ability to respond to any vulnerability disclosed through the program. That means that the Decentraland Foundation is committed to do the triage and answer the disclosures received, while the DAO is in charge of providing the funds needed once a confirmed bug report is reviewed and confirmed. So basically when a payment has to happen due to a valid report under the program, the Decentralan Foundation will inform DAO with case #, the recipient wallet address and amount to be paid and also, shall contact the SAB in order to fix the vulnerabilities disclosed.

The program is composed of different threat levels and topics:

Smart Contracts

High Up to USD 500 000

Medium Up to USD 20 000

Low USD 1 000

Websites and Applications

Critical USD 18 000

High USD 6 000

Medium USD 3 000

Low USD 1 000

Payouts are denominated in USD. However, payouts are done in MANA and USDT, with a minimum of 20% to be done in USDT.

The program is not tied or attached to any third party but the Decentraland Foundation will use them and their expertise and platforms to help administrate the program. Therefore and after a deep initial analysis, the SAB has selected and recommend the Decentraland Foundation to start the bounty program using Immunefi.

The Decentraland bounty program can be found here.

  • Yes
  • No
  • Invalid question/options

Vote on this proposal on the Decentraland DAO

Off-Chain Vote

Yes
937.63K VP67.8%
No
0 VP0%
Invalid question/options
445.99K VP32.2%
Download mobile app to vote

Timeline

Jul 08, 2022Proposal created
Jul 08, 2022Proposal vote started
Jul 13, 2022Proposal vote ended
Oct 26, 2023Proposal updated