I think that the funds denominated for the bounty should be put to work in protocol-owned liquidity. Like John said in the call it’s definitely worth thinking about the possibility that multiple critical findings are claimed and IMO it’s important to launch the bug bounty as soon as possible. So I’d recommend setting the bounty at $500,000, then increasing this as time goes on if non are claimed.
So adding to a liquidity pool a nominal amount of $1,000,000 then half can be withdrawn for any bounties (I believe someone mentioned there is some time flexibility for paying out) could be a beneficial solution.
Also, it may be worth putting a non-typical amount down, ie $525,000 as it bumps Threshold up from page 9 at $500k to page 6 at $525K on the Immunefi explore bounties page.
I am in support of this proposal and consider this an essential initiative.
Reward Size
MakerDAO has an excellent example of a bug bounty, with hard caps in place depending on the severity of the bug, and payouts capped proportional to economic damage. MakerDAO Bug Bounties | Immunefi
I suggest that we take a similar sliding scale approach to payable rewards, proportional to the assets at risk, with a minimum payout. This keeps our liability proportional to TVL.
If we compare to existing bug bounties, $1M hardcap for critical bugs seems appropriate based on current protocol TVL.
Alignment of DAO goals
I believe we have an opportunity to address three DAO goals at once: bug bounty, treasury diversification and tBTC TVL/POL.
If we offer bounty payouts in a stable coin (ideally thUSD) and tBTC, we have an incentive to accumulate $1M (amount pending) of thUSD/tBTC liquidity. This liquidity can be set aside to permanently offset the bug bounty liability, whilst earning fees/rewards.
If the DAO accumulates WBTC, we can coordinate with a trusted third party to swap for newly minted tBTC, which we can use in the liquidity pool, and as backing for the bug bounty, thus increasing tBTC TVL while supporting our other goals.