Hey everyone,
I'm Travin Keith, one of the Co-Founders of Immunefi, a bug bounty platform focused on crypto, and where Synthetix and Yearn are, as mentioned by @Mark11. Nice to see discussions about having a bug bounty program! Really like the "Proof of Whitehat" NFT reward as well! I think it'll be a great way to maintain community recognition. Though some whitehat hackers like to remain anonymous, there are definitely those that appreciate recognition.
I think one thing to add as well is that a bug bounty program is more than just to attract whitehats, but also a last-stand attempt to convince a blackhat hacker to disclose a vulnerability responsibly instead of exploiting the bug and stealing user funds. So it's important to keep this in mind when thinking about the rewards.
There seems to be some concern with regards to the reward amounts being too high, but I don't think that's too much of a problem because they're not paid out unless there's an actual vulnerability that could cause much more damage. What we do recommend though for large rewards is to have a scaling bug bounty, so that the reward is 10% of the economic damage. Having a hard cap for it though is understandable, but having it high can be a great marketing strategy to attract more whitehats as well as the attention of blackhats. We just launched the bug bounty program for TheGraph today which has $2.5m for critical vulnerabilities, the biggest one around crypto, and so the $3.3m one would definitely attract a lot of attention.
As for what @kschan mentioned about the loss of user funds, we'd call this critical as well as it would definitely be quite catastrophic if user funds were directly stolen. The 10% of economic damage factor would also be good here so that the reward properly scales with impact as well. That way if only $10m can be stolen, the reward would just be around $1m and not the full cap.
proofofsteve I'd be happy to provide further feedback to you about structuring a bug bounty program, and would be also happy to discuss having the bug bounty program for OlympusDAO on Immunefi, joining other notable projects around the DeFi space. One big thing with us is that we are actively growing our whitehat community, both through our whitehat scholarship program, as well as through general outreach. It's been quite helpful as well that we've had two of the largest payouts for bug bounty programs - $800k and $700k, so bug bounty hunters are more confident that they can actually get rewarded on our platform, even if the numbers are significantly higher than other platforms. Onboarding and maintenance is also free on our platform, on top of all of our advisory and promotional assistance 🙂 We just have a 10% performance fee. So if there are no bugs found at all, the DAO just pays $0.