I would agree - since the risk of a crit on our most valuable exploit is theoretically unbounded in terms of EV for a hacker, we should have a very compelling bug bounty for crits. Typically, to find the right number you have to weigh the two options subjectively:
Option 1: Exploit the Vulnerability
Value Captured: >50% of the Mkt_Cap(TBTC)
Cons: This money has to be cleaned. This is challenging and, outside of Lazarus Group, can be a huge deterrent.
Option 2: Redeem the Bug Bounty
Value Captured: Value(Bug Bounty)
Cons: If the protocol determines it is not a critical bug, can lose a lot of money. Notably, protocols have a conflict of interest when assessing a bug and historically have “sandbagged” severity ratings. I address a remediation for this later on.
Size: Either “$500,000+” as Maclane stated or $1,000,000 flat for a critical finding.
Rationale: $1,000,000 is a significant enough bounty to motivate a gray-hat.
Criteria: A vulnerability that puts all TBTC funds at risk
High Severity Findings
Size: Either $50,000 or $100,000
Criteria: A vulnerability that puts some TBTC funds at risk
Size: No rewards.
Rationale: Small bugs that don’t put funds at risk are simply not a concern and thus not worth rewarding.
Currency: I propose that we pay out in DAI, TBTC, or ETH.
What to do with the money?
This will be a liability for the DAO, essentially a “Notes Payable” in perpetuity. We will need to keep it on hand and easily retrieved. Although, we should have some wiggle room here. I suggest that we keep 50% at all times in protocol owned liquidity so that it is active and generating some yield.
Mitigating the Conflict of Interest
We should have clear and unbiased guidelines to determine the severity of a finding. I suggest a technical lead from Keep Co and Nu Co and an independent and qualified third party, such as @michwill, serve as judges for findings. They should be compensated some amount for their time if they are willing to provide the service. I’d suggest $5k in T tokens to each.