[DAO: bafkrei] Manage a bounty program for vulnerability reports

by 0x87956abc4078a0cc3b89b419928b857b8af826ed (Nacho)

Linked Draft Proposal

Manage Bounty program for vulnerability reports

Summary

Request the DAO to cover the payment of the rewards and grant the Decentraland Foundation to manage them as the proposal state.

Abstract

As the DAO owns the smart contracts and manages the development of the protocol, we are requesting to cover the rewards needed for every vulnerability found in the Decentraland bounty program. The Decentraland foundation is committed to triage, answering, and fixing every disclosure received. Every payment will be published publicly.

Motivation

Bug bounty programs are open invitations to security researchers to discover and disclose potential vulnerabilities in projects’ smart contracts and applications, thereby protecting projects and their users. For their good work, security researchers receive a reward based on the severity of the vulnerability, as determined by the project affected.

Why have a bug bounty program at all? In 2020 alone, hacks and scams cost the Web3 community over $238m, and bug bounties can prevent those hacks from happening. Bug bounty programs surface vulnerabilities so they can be fixed before they get exploited in malicious hacks that destroy projects and ruin reputations.

Specification

As members of the Security Advisory Board (SAB), we hereby request the DAO to approve and fund the bounty program and due to its nature and limited execution capabilities, delegate to the Decentraland Foundation the ability to respond to any vulnerability disclosed through the program. That means that the Decentraland Foundation is committed to doing the triage and answering the disclosures received, while the DAO is in charge of providing the funds needed once a confirmed bug report is reviewed and confirmed. So basically when a payment has to happen due to a valid report under the program, the Decentraland Foundation will inform DAO with case #, the recipient wallet address, and the amount to be paid and also, shall contact the SAB in order to fix the vulnerabilities disclosed.

The program is composed of different threat levels and topics:

Smart Contracts

High Up to USD 500 000

Medium Up to USD 20 000

Low USD 1 000

Websites and Applications

Critical USD 18 000

High USD 6 000

Medium USD 3 000

Low USD 1 000

Payouts are denominated in USD. However, payouts are done in MANA and USDT, with a minimum of 20% to be done in USDT.

The program is not tied or attached to any third party but the Decentraland Foundation will use them and their expertise and platforms to help administrate the program. Therefore and after a deep initial analysis, the SAB has selected and recommended the Decentraland Foundation to start the bounty program using Immunefi.

The Decentraland bounty program can be found here.

The DAO will publish each payment made for every reward.

Impacts

Decentraland will continue working on its security by encouraging white hackers to participate in the bounty program.

Implementation Pathways

For transparency, the Decentraland Foundation will provide a report about the vulnerabilities accepted including the disclosure date, description, and fixed date.

Conclusion

The idea is to keep Decentraland safe and secure for every user. The DAO will provide the funds while the Foundation will manage the disclosures accordingly

Vote on this proposal on the Decentraland DAO

View this proposal on Snapshot

I voted YES because I believe there is nothing more important than ensuring the security and stability of our platform. By incentivizing security researchers with appropriate bounties, I believe this will both:

1. Prevent those with knowledge of exploits from taking advantage of them.
2. Encourage well qualified individuals to audit the smart contracts.

Best wishes with this proposal.

Hey I am so for this program existing. I even voted yes and asked a few questions on the original poll.

But before this gets passed — I would like to call attention to this being a governance proposal and not a grant proposal, meaning once it is approved it is binding forever, as I understand. I am curious to know the allocation of funds, and if there are caps per year? I understand and believe in the importance of these bounty programs, but what stops them from draining all the dao funds if there are multiple threats? Hopefully not, but how do we mitigate this possibly scenario? Or do you have data from previous bugs to show that this wouldn’t be an issue?

Sorry if I’m stuck on the wrong issue here, but would like to know how this will be handled before I vote, but thanks for all you do!

Hi! Thanks for raising this point.

The DAO won’t be forced to pay rewards if they consider that the treasury is being compromised. It is hard to estimate how many reports are we going to have and pay but we are conscious that every development must be audited until goes to production. I think that if we start having too many valid reports per day, we will need to slow down the development and improve the quality. How we can mitigate this? well, I believe that the DAO will stop sending the funds and raise its voice to have a better development process.

As a land owner I voted yes on this proposal because I can’t think of anything more important than protecting our smart contracts. We need incentives large enough to encourage those to have found vulnerabilities within the system to report them.

Thanks for your response, and glad to know this will be considered! I do think this is super important and needs to exist, so I wish y’all luck with the program!!

Much needed these have been proven to work well. Thought i already voted yes and commented.

Manage a bounty program for vulnerability reports

This proposal is now in status: PASSED.

Voting Results:

• Yes 100% 7,520,426 VP (87 votes)
• No 0% 0 VP (0 votes)

Manage a bounty program for vulnerability reports

This proposal has been ENACTED by a DAO Committee Member (0xfe91c0c482e09600f2d1dbca10fd705bc6de60bc)