Threshold Network, and its applications (PRE and tBTCv2), have been audited by multiple third party firms. The audits are published on (Threshold · About) and we understand that a second audit of tBTCv2, with Trail of Bits, will be published soon.
However, given the recent launch of tBTCv2’s Chaosnet 0 and the upcoming launch of minting in January, it is our responsibility to take further steps to improve the networks’ security posture. We propose establishing a public bug bounty on Immunefi (Immunefi Bug Bounties | Immunefi), a popular web3 bug bounty platform.
A credible bug bounty program will attract additional security reviews from the white hat community and incentive responsible disclosure of security vulnerabilities, which is especially topical given the severity of recent bridge-related security vulnerabilities.
We propose an initial schedule below, and request community and developer feedback on the amounts prior to moving this to snapshot:
Critical: Up to $500,000 in T tokens
High: Up to $50,000 in T tokens
Medium: Up to $5,000 in T tokens
Low: Up to $500 in T tokens
If tBTCv2 achieves an extremely TVL, these amounts can be revisited and increased.
Agreed on the benefits of this, and thanks for proposing this @Mr_T
These are off-course high numbers, but I believe this is common. It also needs to be seen in the light of potential impact.
No bugs found → no cost
Bugs found & fixed → cost. But also protecting Product & Project reputation & Users with potentially much higher value.
I have no experience on platforms and height of bounties, and hope the developer Contributors are able to share their thoughts here.
I don’t know if this is already defined, or if this is already planned to work on by others.
If not: I would be able to take charge on listing out a process: e.g. how is a bug reported, to whom, triage & categorization (critical, high etc), patching, disclosure, post mortem, Immunefi (or other) onboarding etc.
Would ofc need to strongly rely on inputs of the experts here, but would be able to tie the pcs together.
Also would like to note that I have no experience here, so there could be more qualified people.
Thanks, @Mr_T. I agree this is important to establish. Andreas Antonopolous made a point in an interview years ago that has stuck with me (paraphrasing): you know a system is secure when there is a large financial incentive to hack it and no one succeeds. If we have a vulnerability our audits didn’t catch we don’t want to find out the hard way, as this could severely damage the Threshold brand.
These incentives look reasonable to me, but will defer to others with more experience with bug bounties on the question of the amounts to offer.
GM @Mr_T !
I would like to invite you or a representative of you, to an Integrations Guild meeting in order to define a strategy for the execution of this proposal.
Meetings are held in Discord in the Hangout voice channel, Tuesdays at 1pm ET.
If you are not able to join a call, or prefer to discuss this async, please drop us a message at the Integrations Guild channel, where we will create the appropriate infrastructure to execute the proposal.
It appears Discord as a platform is requiring phone number verification, and it was not the Threshold server. In the interest of making progress, let’s continue the conversation here until we’re able to come up with a solution.
Thanks for taking the time to create this proposal @Mr_T !
What in your mind is the next step now that it has been approved by the DAO - Would you like to take the lead on establishing the Immunefi program, or should this be initiated by the TIG? We are excited to have you in our community and look forward to the future!
Apologies for the late response - one other thing to add here is that auditors who have worked on the protocol should not be eligible for a bounty. I echo @Naxsun’s sentiment on clearly defining how bugs are reported and who determines the severity.