• Proposal
  • OIP-38: Formalize Partnership with ImmuneFi for the Bug Bounty Program

Summary

This proposal will list the two tiers of the Olympus Bug Bounty (as described in OIP-17 and OIP-34) on ImmuneFi, and authorize Immunefi to vet Proof of Concept submissions to be in turn forwarded to the Bug Bounty Management Team. This will also include paying ImmuneFi a 10% fee on each bounty claimed through their platform.

Motivation

Who is ImmuneFi: ImmuneFi is a community of white hat developers who actively look for bugs and exploits in return for preapproved bounties. They provide a secure and private system for bug identification and submission as well as services in vetting and quantifying submitted bugs and suggested fixes, and are trusted by protocols such as The Graph, Tokemak, Sushiswap, and Arbitrum.

***How they Can Help: ***In OIP-17 the Bug Bounty program was handed over to Strategos for implementation, however OIP-17 lacked specifics on who should implement it, how they should do so, and how they would be compensated for doing so. Accordingly, while the Bug Bounty does officially exist, there has been no serious coordinated effort to market it and it remains largely unknown to the white hat community. A recent project proposal was passed placing Proof of Steve and Zayen X in charge of the program to expedite submissions and marketing efforts. However, both Proof of Steve and Zayen X believe that in addition to fielding direct submission from Ohmies, working with ImmuneFi will be advantageous for the program in that it will put the Olympus Bug Bounty in front of  hundreds of experienced white hats and provide it with much needed publicity, and a ready-to-go SOP for bug/vulnerability intake.

Proposal

  • Authorize Proof of Steve to post the Olympus Bug Bounties on Immunefi.com.

  • Adopt the ImmuneFi → Management Team bug submission intake process disclosed within the previously approved project proposal placing Proof of Steve and Zayen X in charge of the Bug Bounty program.
    (Intake Process SOP:

    1. A whitehat submits a vulnerability/exploit and suggested fix to Immunefi, formatted as a PoC.

    2. Immunefi vets the PoC.

    3. Immunefi approves/denies the PoC.

    4. If the PoC is approved, Immunefi submits the PoC to the Management team.

    5. Management approves/denies the PoC.

    6. If approved, Management mints the NFT, rewards the white hat the bounty and NFT, and pays Immunefi.

    7. Management creates the fix bounty.

    8. Fix hired out to whitelisted OHM dev or trusted third party.

    9. Fix submitted to management for vetting.

  • If fix approved, fix is implemented by dev from 8/Zayen X, and the bounty is paid.

  • Awarding of bounties and NFTs is announced through formal channels.)

  • ImmuneFi charges a 10% fee for any bounty awarded through its platform in return for its organizational and PoC vetting services (for example if a bounty of $100 was claimed through ImmuneFi, they would charge an additional $10 fee). This proposal will greenlight the additional payout of that fee to ImmuneFi for any bounties claimed through them.

Polling Period

The polling process begins now and will end at Noon UTC on 22/10/2021. After this, a Scattershot vote will be put up at Noon UTC on 23/10/2021.

Poll

For: If the proposal is approved Proof of Steve is authorized to post the Olympus Bug Bounties on Immunefi, the intake processes disclosed in the ‘proposal’ section will become the official ImmuneFi PoC intake SOPs for the Bug Bounty proposal, and additional payments to ImmuneFi per their 10% fee policy will be greenlit.

Against: If this proposal is rejected none of the above actions will be taken and no changes will be made.

For or Against the Outlined Proposal

This poll has ended.

    Smart contract and security of protocol should be no1 priorities for the whole comunity!

    Happy to be working with ProofofSteveGM and the rest of the Olympus folks on this OIP! Looking forward to further securing the Olympus ecosystem with our community of whitehats 😎

    Let’s ride - love the two sided marketplace here

    Yep. We want to know if there are bugs!

    Good proposal, I'm in favor of it! Immunefi looks like a good platform.

    ProofofSteveGM If approved, Management mints the NFT, rewards the white hat the bounty and NFT, and pays Immunefi.

    So the whitehat will be rewarded for just providing the POC? You added this subsequently:

    If fix approved, fix is implemented by dev from 8/Zayen X, and the bounty is paid.

    Does this mean the bounty will be split into two parts: the POC and the actual fix?

      kschan

      Yes the 'bug bounty' does not include implementing a fix, though if you submit through immunefi you are required to provide a suggested fix. The actual process of developing and implement that fix is hired out separately. This process is not detailed in an OIP, but in the project proposal Zayen and myself passed recently.
      We did discuss with the guys at Immunefi requiring a fix to be implemented, but ultimately that cuts down on the number of devs who could contribute pretty significantly and it was decided that's best left to in house Ohmie engineers.

      Write a Reply...