Dear Threshold Community,
As part of our commitment to maintaining the highest standards of security and reliability for the Threshold Network and its associated products, we are proposing the establishment of a public bug bounty program for the thUSD product that will be launched soon. This program aims to enhance the security posture of the network by incentivizing security experts to identify and responsibly disclose vulnerabilities.
Threshold Network has a history of successful audits by multiple third-party firms, as evidenced in the audits published on Threshold · About. Additionally, thUSD was successfully audited by the Cantina team, where the results are expected to be published soon. However, we believe it is essential to take further steps to fortify the security and reliability of this product.
We propose to collaborate again with Immunefi, a renowned web3 bug bounty platform, and our partner for the Threshold and tBTC Bug Bounty Program (see TIP-041 and Immunefi dashboard for Threshold).
This program would actively engage the white hat community in identifying security vulnerabilities within the thUSD product. The program is designed to encourage responsible disclosure, thereby enhancing the security of the network as a whole.
The reward structure needs to be designed by a work group of experts, so it will be subject to community and developer feedback, but can be initially expected to lay within this:
- Critical: Up to $100,000 in T tokens
- High: Up to $10,000 in T tokens
- Medium: Up to $1,000 in T tokens
- Low: Up to $500 in T tokens
It’s important to note that these reward amounts are subject to the Total Value Locked (TVL) in the network. In the event that the TVL experiences substantial growth, these amounts can be revisited and potentially increased.
Benefits and Objectives:
- Enhanced Security: By leveraging the expertise of the white hat community, we aim to identify and address vulnerabilities in a proactive manner, safeguarding user assets and maintaining network integrity (see Guidelines and Rules).
- Responsible Disclosure: Encouraging responsible disclosure through the bug bounty program ensures that potential vulnerabilities are reported and addressed before they can be exploited maliciously.
- Community Engagement: The bug bounty program fosters a collaborative environment that aligns with the decentralized ethos of our network, encouraging active participation from community members and developers.
Bug Bounty Program Management:
The DAO contributors, with a special mention for the IG, have accumulated valuable experience through their involvement in the existing Bug Bounty program for Threshold. This program encompasses multiple assets within Threshold, as well as the tBTC product. This hands-on engagement has provided insights into the implementation and management of such initiatives.
Effective Bug Bounty Program management entails two key challenges: (1) the technical evaluation of bug reports and subsequent bug mitigation strategies, and (2) overseeing the financial allocation of the program, including payments to whitehat participants and Immunefi.
To tackle challenge (1), we advocate for the establishment of a committee comprised of technical security experts. This committee’s role will encompass the prompt evaluation of reports and the formulation of tailored mitigation measures for the thUSD product.
For challenge (2), drawing from our past experiences, we propose that the initial phase of the thUSD program be overseen by the IG. We intend to allocate $100k in T tokens, allowing coverage for various minor incidents or a single major incident. Should these funds be exhausted, the IG will duly request additional funding from the DAO.
Feedback and Approval Process for this Proposal:
We value the input of our community and developers. Before moving this proposal to a snapshot vote, we invite your feedback on the proposed reward amounts, program structure, and any other related aspects. Your insights will contribute to the finalization of this initiative.
Please share your thoughts, suggestions, and concerns in response to this proposal. Your feedback can be provided on this forum thread or during community meetings.