[DAO: bafkrei] Set up a bounty program for vulnerability reports

by 0x87956abc4078a0cc3b89b419928b857b8af826ed (Nacho)

Bug bounty programs are open invitations to security researchers to discover and disclose potential vulnerabilities in projects’ smart contracts and applications, thereby protecting projects and their users. For their good work, security researchers receive a reward based on the severity of the vulnerability, as determined by the project affected.

Why have a bug bounty program at all? In 2020 alone, hacks and scams cost the Web3 community over $238m, and bug bounties can prevent those hacks from happening. Bug bounty programs surface vulnerabilities so they can be fixed before they get exploited in malicious hacks that destroy projects and ruin reputations.

As member of the Security Advisory Board (SAB), we hereby request the DAO to approve and fund the bounty program and due to its nature and limited execution capabilities, delegate to the Decentraland Foundation the ability to respond to any vulnerability disclosed through the program. That means that the Decentraland Foundation is committed to do the triage and answer the disclosures received, while the DAO is in charge of providing the funds needed once a confirmed bug report is reviewed and confirmed. So basically when a payment has to happen due to a valid report under the program, the Decentralan Foundation will inform DAO with case #, the recipient wallet address and amount to be paid and also, shall contact the SAB in order to fix the vulnerabilities disclosed.

The program is composed of different threat levels and topics:

Smart Contracts

High Up to USD 500 000

Medium Up to USD 20 000

Low USD 1 000

Websites and Applications

Critical USD 18 000

High USD 6 000

Medium USD 3 000

Low USD 1 000

Payouts are denominated in USD. However, payouts are done in MANA and USDT, with a minimum of 20% to be done in USDT.

The program is not tied or attached to any third party but the Decentraland Foundation will use them and their expertise and platforms to help administrate the program. Therefore and after a deep initial analysis, the SAB has selected and recommend the Decentraland Foundation to start the bounty program using Immunefi.

The Decentraland bounty program can be found here.

• Yes
• No
• Invalid question/options

Vote on this proposal on the Decentraland DAO

View this proposal on Snapshot

Hey Nacho, really love this idea, such a great incentive to bounty vulnerabilities, such as bugs and ppl taking advantage. A handful of questions below…

• Would love a little more insight into how y’all came about with those bounty payouts, I know you have the breakdowns on the site (and sorry if I’m not technically minded enough to understand), but is this based on previous losses in scams/bugs?

• How do you plan to do the oversight on the submissions of vulnerabilities?

• And what happens if multiple hunters submit for the same one, is the bounty shared or first come first served?

• Will there be transparency reports of the vulnerabilities, and whats in action and in what step of confirming?

• How do you plan to safe guard trolls aren’t out there trying to take someone down they don’t like, and is possibly tarnishing someones reputation?

Regardless I’m going to vote yes on this, but would love a bit more insight into what to expect from the proposal, thanks!

Thanks for the question @ckbubbles.

• Would love a little more insight into how y’all came about with those bounty payouts, I know you have the breakdowns on the site (and sorry if I’m not technically minded enough to understand), but is this based on previous losses in scams/bugs?
  Basically you define the threat levels and payouts based on the monetary impact.

How do you plan to do the oversight on the submissions of vulnerabilities?

The SAB is going to take care of the reports submitted.

• And what happens if multiple hunters submit for the same one, is the bounty shared or first come first served?

In that case, Immunefi takes care of duplicates. The client (DCL Foundation) will pay just once. So, first come first served.

• Will there be transparency reports of the vulnerabilities, and whats in action and in what step of confirming?

I’m not 100% sure about low/informational but at least for High/Critic yes. They are going to be published once the vulnerability is 100% fixed.

• How do you plan to safe guard trolls aren’t out there trying to take someone down they don’t like, and is possibly tarnishing someones reputation?

What do you mean? I’m not sure if I understood this one.

The last part @Nacho was for, if people decide to submit false bugs reports to try and troll another landowner/player. I’m curious to know how much of the process is automated, or is each report dealt with by an individual/team?

This gets a giant YES from me! I do have one question though.

Is this something that can be applied retroactively? Specifically in regards to the security researcher who identified the exploit in the land smart contract back in March? (I believe it was March)

Not certain my comment was seen on twitter, but I believe this person is the greatest hero to Decentraland yet, and it would be wonderful if they bounty they receive(d) could accurately reflect their contribution.

Great and necessary proposal, and I hope this passes without issue. There is no better use of the DAO treasury funds than ensuring the security of the code.

This is something that has been proven to work. Support this 100%.

Thanks everyone for the support.

The last part @Nacho was for, if people decide to submit false bugs reports to try and troll another landowner/player. I’m curious to know how much of the process is automated, or is each report dealt with by an individual/team?

Submission will happen on Immunefi in this case, so LAND owners/players are not going to be in contact with the white hackers. They are still reaching them with fake bugs/support. That is not going to change. We can send a message on Discord notifying that every bug disclosure must be done using Immunefi.

Not certain my comment was seen on twitter, but I believe this person is the greatest hero to Decentraland yet, and it would be wonderful if they bounty they receive(d) could accurately reflect their contribution.
They received an accurate reward for their contribution.

This is a much needed initiative and I can vouch for @Nacho knowledge on the issue, he has helped me with some technical issues before

We fear what we do not understand. Finding vulnerabilities is a first essential step towards eliminating them. Offering these bounties will go a long way to ease the fears of new users as they increasingly join this space.

Voted Yes.

Voted invalid question.
Of course I support a bug bounty, but what’s the need of this proposal if the proposal is already live on Immunefi?

What is the part that it is not clear for you? Maybe I can help to clarify.

The bounty program is already published at immunefi as you said but the proposal is about the DAO covering the rewards payment and the possibility for the foundation to manage them as the proposal state.

Set up a bounty program for vulnerability reports

This proposal is now in status: FINISHED.

Voting Results:

• Yes 68% 937,621 VP (40 votes)
• No 0% 0 VP (0 votes)
• Invalid question/options 32% 445,990 VP (2 votes)

My bad @Nacho – sorry. I missed that part as was explained on the proposal. I just though Foundation was “asking the DAO for permission” when you had already done it (as happened before, coff coff)

I’d change my vote, but I see it’s already approved. Sorry for the confusion.
btw, as I said earlier, I’m super in favor of the bug bounty. Not sure if Foundation or the DAO should pay for this (the Foundation’s financials are obscure to us the community), but we’ll see that in the next stages of the 3-step governance process.

Set up a bounty program for vulnerability reports

This proposal has been PASSED by a DAO Committee Member (0xfe91c0c482e09600f2d1dbca10fd705bc6de60bc)