Summary
This proposal will list the two tiers of the Olympus Bug Bounty (as described in OIP-17 and OIP-34) on ImmuneFi, and authorize Immunefi to vet Proof of Concept submissions to be in turn forwarded to the Bug Bounty Management Team. This will also include paying ImmuneFi a 10% fee on each bounty claimed through their platform.
Motivation
Who is ImmuneFi: ImmuneFi is a community of white hat developers who actively look for bugs and exploits in return for preapproved bounties. They provide a secure and private system for bug identification and submission as well as services in vetting and quantifying submitted bugs and suggested fixes, and are trusted by protocols such as The Graph, Tokemak, Sushiswap, and Arbitrum.
***How they Can Help: ***In OIP-17 the Bug Bounty program was handed over to Strategos for implementation, however OIP-17 lacked specifics on who should implement it, how they should do so, and how they would be compensated for doing so. Accordingly, while the Bug Bounty does officially exist, there has been no serious coordinated effort to market it and it remains largely unknown to the white hat community. A recent project proposal was passed placing Proof of Steve and Zayen X in charge of the program to expedite submissions and marketing efforts. However, both Proof of Steve and Zayen X believe that in addition to fielding direct submission from Ohmies, working with ImmuneFi will be advantageous for the program in that it will put the Olympus Bug Bounty in front of hundreds of experienced white hats and provide it with much needed publicity, and a ready-to-go SOP for bug/vulnerability intake.
Proposal
Authorize Proof of Steve to post the Olympus Bug Bounties on Immunefi.com.
Adopt the ImmuneFi → Management Team bug submission intake process disclosed within the previously approved project proposal placing Proof of Steve and Zayen X in charge of the Bug Bounty program.
(Intake Process SOP:A whitehat submits a vulnerability/exploit and suggested fix to Immunefi, formatted as a PoC.
Immunefi vets the PoC.
Immunefi approves/denies the PoC.
If the PoC is approved, Immunefi submits the PoC to the Management team.
Management approves/denies the PoC.
If approved, Management mints the NFT, rewards the white hat the bounty and NFT, and pays Immunefi.
Management creates the fix bounty.
Fix hired out to whitelisted OHM dev or trusted third party.
Fix submitted to management for vetting.
If fix approved, fix is implemented by dev from 8/Zayen X, and the bounty is paid.
Awarding of bounties and NFTs is announced through formal channels.)
ImmuneFi charges a 10% fee for any bounty awarded through its platform in return for its organizational and PoC vetting services (for example if a bounty of $100 was claimed through ImmuneFi, they would charge an additional $10 fee). This proposal will greenlight the additional payout of that fee to ImmuneFi for any bounties claimed through them.
Polling Period
The polling process begins now and will end at Noon UTC on 22/10/2021. After this, a Scattershot vote will be put up at Noon UTC on 23/10/2021.
Poll
For: If the proposal is approved Proof of Steve is authorized to post the Olympus Bug Bounties on Immunefi, the intake processes disclosed in the ‘proposal’ section will become the official ImmuneFi PoC intake SOPs for the Bug Bounty proposal, and additional payments to ImmuneFi per their 10% fee policy will be greenlit.
Against: If this proposal is rejected none of the above actions will be taken and no changes will be made.