• General

  • Request For Comment: New Bug Bounty OIP Proposal

Hello everyone.

After some discussion the Bug Bounty Management team would like to add a new tier to our existing bounty program. Please find the relevant text for a proposed OIP below.

Summary

**This OIP proposes adding the following language to the ImmuneFi Olympus Bug Bounty:

“Tier 4: The Bug Bounty Management team may from time to time, at its discretion, issue an award of up to $16,942.00 for submissions which do not qualify for bounties under other tiers, but which the team feels nonetheless are high effort, high quality, and of material use in improving Olympus’ codebase. Note that this bounty is not available to Olympus contributors, who should contact the Bug Bounty Management team directly for a bounty if they have found a bug or inefficiency that is within Olympus’ codebase but outside of their mandate as a contributor. Further note that this bounty will not be awarded regularly. It is meant only for extremely high quality submissions which have significant material impacts to Olympus. No person submitting a bounty should assume that they are entitled to this or will be awarded it, as the bar to qualify for it will be very high.”

And to approve its funding via the Treasury as needed.**

Motivation

In the process of running the Olympus Bug Bounty through ImmuneFi, the Bug Bounty Management Team has received submissions which were high quality and of great use in improving Olympus’ codebase, but did not technically qualify for a Bounty under our existing tiers.
In order to provide incentive for coders both independent and within the DAO to continue making efforts to go above and beyond finding areas where the codebase can be improved, we propose adding a flexible ‘improvement tier’ to be awarded at the Bug Bounty Management team’s discretion.

 

Proposal

Add the aforementioned language to the ImmuneFi Olympus Bug Bounty program, and authorize the Treasury to make payments of up to $18,636.20 ($16,9420 * 1.1, as ImmuneFi charges a 10% fee for accepted submissions) on an as needed basis in order to award appropriate submissions.

Generally pro this request but would love some additional information. Do we have metrics on how many bugs have been submitted that would have fallen into this criteria and if so, what the estimated payout would have been?

As the current proposal is greenfield, I would suggest that we place some sort of Fee Cap / Not to Exceed (Quarterly? Bi-annually? Annually?) such that we can budget around it.

Otherwise, I'm in favor.

    Relwyn 2 submissions have been given to the Bug Bounty Management team which would have fallen into this category. Both were rewarded, though the issue was they were rewarded through "one off" measures done by the engineering team in conjunction with operations. This simply streamlines the process.

    I think adding a cap is reasonable. I will add that it will not exceed three awards monthly. We've only had two that would have qualified in the last 4-5 months so it's unlikely that will ever be an issue.

      Awesome! So, if as you suggest, we put 3 awards monthly with a cap of $18,636 that would create a not to exceed of:

      $55,908/MRC

      I think the only other thing we'd need need to review is the budgets tolerance for that not to exceed spend.

      @hOHMwardbound could probably help with that.

        Relwyn for reference I don't think we'll get anywhere near that kind of amount. To date we've only had 2 bugs qualify for this kind of award.

            +1000

            Bug bounties and tier definitions including those for adhoc are extremely important. I would propose we add more lower tiers also. This is a very cost effective way of multiple people auditing the code & even providing code.

            In our experience (since we won one of the bounties previously from Olympus) encouraging this will make the protocol much more robust and the immunefi tiers should absolutely be expanded. This will encourage responsible disclosures.

            Write a Reply...