TIP-059 Establish a Bug Bounty Program for thUSD

Dear Threshold Community,

As part of our commitment to maintaining the highest standards of security and reliability for the Threshold Network and its associated products, we are proposing the establishment of a public bug bounty program for the thUSD product that will be launched soon. This program aims to enhance the security posture of the network by incentivizing security experts to identify and responsibly disclose vulnerabilities.

Background:
Threshold Network has a history of successful audits by multiple third-party firms, as evidenced in the audits published on Threshold · About. Additionally, thUSD was successfully audited by the Cantina team, where the results are expected to be published soon. However, we believe it is essential to take further steps to fortify the security and reliability of this product.

Proposal Details:
We propose to collaborate again with Immunefi, a renowned web3 bug bounty platform, and our partner for the Threshold and tBTC Bug Bounty Program (see TIP-041 and Immunefi dashboard for Threshold).

This program would actively engage the white hat community in identifying security vulnerabilities within the thUSD product. The program is designed to encourage responsible disclosure, thereby enhancing the security of the network as a whole.

The reward structure needs to be designed by a work group of experts, so it will be subject to community and developer feedback, but can be initially expected to lay within this:

• Critical: Up to $100,000 in T tokens
• High: Up to $10,000 in T tokens
• Medium: Up to $1,000 in T tokens
• Low: Up to $500 in T tokens

It’s important to note that these reward amounts are subject to the Total Value Locked (TVL) in the network. In the event that the TVL experiences substantial growth, these amounts can be revisited and potentially increased.

Benefits and Objectives:

1. Enhanced Security: By leveraging the expertise of the white hat community, we aim to identify and address vulnerabilities in a proactive manner, safeguarding user assets and maintaining network integrity (see Guidelines and Rules).
2. Responsible Disclosure: Encouraging responsible disclosure through the bug bounty program ensures that potential vulnerabilities are reported and addressed before they can be exploited maliciously.
3. Community Engagement: The bug bounty program fosters a collaborative environment that aligns with the decentralized ethos of our network, encouraging active participation from community members and developers.

Bug Bounty Program Management:

The DAO contributors, with a special mention for the IG, have accumulated valuable experience through their involvement in the existing Bug Bounty program for Threshold. This program encompasses multiple assets within Threshold, as well as the tBTC product. This hands-on engagement has provided insights into the implementation and management of such initiatives.

Effective Bug Bounty Program management entails two key challenges: (1) the technical evaluation of bug reports and subsequent bug mitigation strategies, and (2) overseeing the financial allocation of the program, including payments to whitehat participants and Immunefi.

To tackle challenge (1), we advocate for the establishment of a committee comprised of technical security experts. This committee’s role will encompass the prompt evaluation of reports and the formulation of tailored mitigation measures for the thUSD product.

For challenge (2), drawing from our past experiences, we propose that the initial phase of the thUSD program be overseen by the IG. We intend to allocate $100k in T tokens, allowing coverage for various minor incidents or a single major incident. Should these funds be exhausted, the IG will duly request additional funding from the DAO.

Feedback and Approval Process for this Proposal:

We value the input of our community and developers. Before moving this proposal to a snapshot vote, we invite your feedback on the proposed reward amounts, program structure, and any other related aspects. Your insights will contribute to the finalization of this initiative.

Please share your thoughts, suggestions, and concerns in response to this proposal. Your feedback can be provided on this forum thread or during community meetings.

Operationally, will this bug bounty live inside the existing Immunefi dashboard or a separate one? Why different rewards parameters than the existing Threshold bounty program?

Thanks for the questions,
this has been debated in the IG calls but should be also presented here.

The intention is that this bug bounty program exists in parallel to the Threshold Immunefi program, but completely independent to it. This means that we have separate teams for each program:

• We have a separate security experts workgroup, capable of assessing the bug reports specific to thUSD and respond timely to them.
• We have a separate dashboard, so there is no exposure to sensitive information between the products and the different teams
• We reduce the amount of emails and notifications, so each product team will only receive the information concerning to them
• The reward parameters for thUSD bug bounty can be discussed before its launch and the feedback is really welcome here. In our syncs, we envision thUSD having a steady growth as tBTC’s TVL increases. The initial rewards for the bug bounty can be raised as TVL increases. I’d appreciate any contributions to this topic, to establish adequate parameters for this program @Eastban @EvandroSaturnino @sap @ben @Naxsun.

Thanks for the clear outline @Luna5; this is an essential program and a high priority for thUSD launch. @Naxsun and you lead the tBTC program incredibly well, and I believe this one will be delivered to an equally high standard.

Lower reward parameters make sense while TVL is low, and can be adjusted as it increases. For this reason, the sooner the program is live, the better.

re challenge (1), I would recommend (but not exclusively), @EvandroSaturnino, @Agoristen and @ben for technical review committee, if so willing.

re challenge (2), the IG has demonstrated its capacity to manage the payments required for this program, as well as coordinate with the technical review committee, from the tBTC program.

Thank you for this well-structured bug bounty proposal for the thUSD @Luna5. The choice to continue our collaboration with Immunefi seems sound. I also support the reward model tied to the TVL, offering flexibility and scalability as the network grows.

As per @sap’s recommendation, I would gladly accept the role of participating in the technical review committee, I’m ready to contribute to assessing the reports and helping to mitigate the reported bugs. I see value in moving forward with this proposal and am interested to see how it will unfold.

This is a great summary and overview @Luna5 and captures all that has been discussed in the IG perfectly. Thank you for leading this!

As discussed one detail on Immunefi side is that they have a minimum reward amount of $1000. I therefore propose to eliminate the ‘low impact’ category or bump the reward amount to $1000.

I have no strong preference for the two options. Since it’s a new product we could consider to start with including low impact bugs as well, and eventually remove those from scope.

This proposal has passed a Snapshot vote with the following results:

Results:

• Approve: 479M T - 100%
• Disapprove: 0 T - 0%

And the program subsequently launched October 5th, 2023. This program is now managed and overseen by the DAO’s PM and the Integrations Guild.