Summary

This OIP proposes adding the following language to the ImmuneFi Olympus Bug Bounty:

“Tier 4: The Bug Bounty Management team may from time to time, at its discretion, issue an award of up to $16,942.00 for submissions which do not qualify for bounties under other tiers, but which the team feels nonetheless are high effort, high quality, and of material use in improving Olympus’ codebase. Note that this bounty is not available to Olympus contributors, who should contact the Bug Bounty Management team directly for a bounty if they have found a bug or inefficiency that is within Olympus’ codebase but outside of their mandate as a contributor. Further note that this bounty will not be awarded regularly. It is meant only for extremely high quality submissions which have significant material impacts to Olympus. No person submitting a bounty should assume that they are entitled to this or will be awarded it, as the bar to qualify for it will be very high.”

And to approve its funding via the Treasury as needed.

Motivation

In the process of running the Olympus Bug Bounty through ImmuneFi, the Bug Bounty Management Team has received submissions which were high quality and of great use in improving Olympus’ codebase, but did not technically qualify for a Bounty under our existing tiers.
In order to provide incentive for coders both independent and within the DAO to continue making efforts to go above and beyond finding areas where the codebase can be improved, we propose adding a flexible ‘improvement tier’ to be awarded at the Bug Bounty Management team’s discretion.

Proposal

Add the aforementioned language to the ImmuneFi Olympus Bug Bounty program, and authorize the Treasury to make payments of up to $18,636.20 ($16,9420 * 1.1, as ImmuneFi charges a 10% fee for accepted submissions) not to exceed $55,908 monthly, on an as needed basis in order to award appropriate submissions.

Polling Period
The polling process begins now and will end at 12:00 EST on 12/08/2022. After this, a Scattershot vote will be put up at 12:00 on 14/08/2022.

Poll
For: OIP moves to Snapshot vote.
Against: No further action.

For or against the OIP as proposed?

This poll has ended.

Thank you for putting this together!! Looking at the budgeting side of things I think we should set it up on a yearly basis similar to the audits budget of $500k per year vs a monthly cap- the monthly limit makes it seem more "use it or lose it" type of a framework. Should the budget be higher than the budget for audits?

Can we amend the sentence in the text so it reads:
Note that this bounty is not available to Olympus contributors. Contributors should contact the Bug Bounty Management team directly for internal bounty review if they've found a bug or inefficiency that is within Olympus’ codebase but outside of their mandate as a contributor.

    I am for this proposal, basically adding a small amount of flexibility into the bounty program, but being clear that the bar to qualify is very high.

    I'm also for the revision to make it a yearly budget per @hOHMwardbound.

    Always appreciate the attention to detail with the Bug Bounty program ty for the contribution!! @hOHMwardbound revision seems logical.

    Re: budget between audits/bounties… I'll default to what the council/contributors see fit 👍

    Seems like a good idea to encourage responsible disclosures.

    Would it be possible to add into this OIP a transparency part, where whenever a bug bounty is paid out a public report is also made available on why and how much. So the community can audit.

    Just want to voice support for the addition of this flexibility but otherwise have nothing more to add which has not already been commented. Well done Bugs Crew.

    Write a Reply...