This post is aimed to open a discussion about our Bug Bounty processes and the ownership of the different tasks and steps involved in it.
Our Bug Bounty program was approved by the DAO in TIP-041, (Snapshot vote). The DAO, for the purpose of creating a Bug Bounty program, choose to partner with Immunefi. This program was established in Q1, 2023 and officially launched April 28th, 2023. You can visit our program dashboard with Immunefi here: https://immunefi.com/bounty/thresholdnetwork/
From its inception, Threshold’s Integrations Guild Committee was set to own the task to launch and manage the program. During these initial months, several Threshold contributors, the IG and the PM have worked with the Immunefi team to adjust and update the program, introducing lessons learned from the many use cases we have discovered as we go.
Now, as we consolidate our knowledge, we need to step back and create an internal process for us to follow that conveys all these lessons learned, and that makes us all more efficient when dealing this this program:
Point 1 for discussion: the creation of a Threshold subcommittee of experts, to handle economic assessment with the whitehat hackers, once a bug report has been validated and the impact and severity of the bug have been classified and confirmed. As you can see in our program, each impact has reward range according to the severity and the aim of the threat, the role of this subcommittee would be to assess the exact bounty for each case.
Point 2 for discussion: Payment execution and holding of funds. As you can see in our Immunefi dashboard, rewards range from $1000 to $500K. We need to earmark funds for paying small bounties and we also have to contemplate the bigger expenses. An earmarked budget can remain within the ownership of the IG, the TG or the Threshold Council, to cover the bounties marked low-medium-high, but we need to decide on the selected body to hold the funds.
Point 3 for discussion: a possibility to better manage our funds for the higher bounties is introducing an on-chain ratification process to pay critical bug reports that range from $100K to $500K. In this scenario, it would the DAO who makes the payment transfer, instead of maintaining a high amount of funds in one of our Threshold Guilds or Council. This proposal contains a double challenge: (1) the transfer needs to be ratified by the DAO, where our delegates need to agree to vote unanimously to support the transfer payments, which have been agreed beforehand as part of the Immunefi program. (2) the introduction of our on-chain governance delay exceeds the standard SLA time that Immunefi establishes for all bounties, and we would need to make this explicit as part of our Bounty Program, with the disadvantages it may bring.
I would love to hear from our many contributors on these topics, and learn what would be the best way to continue working with the Bug Bounty. Thanks a lot!