We are expanding our ongoing commitment to the Inverse bug bounty program by creating a new vault on the ImmuneFi platform and pledging 43,000 DOLA to bootstrap initial rewards. This decision comes after a comprehensive review of the current state of various host platforms. ImmuneFi is the leading bug bounty and security services platform for web3, guarding tens of billions in users’ funds across projects like MakerDAO, Polygon, Chain, Arbitrum, Lido, Stacks, Optimism and many more.
The collaboration between Inverse Finance and ImmuneFi will see Inverse make use of ImmuneFi's latest Vault System, introduced on September 26. This system allows projects to deposit assets into their own sovereign vault, demonstrating a dedicated fund for paying out bug bounty rewards and thus addressing a critical concern in the web3 space: the assurance of sufficient funds for rewarding white hats. This move is in line with Inverse Finance’s ethos of maintaining the highest standards of security and trust building with security researchers.
The Bounty Program: A Closer Look
As Inverse Finance ventures into new frontiers of DeFi, the security and integrity of our systems remain our utmost priority. This is where our Bug Bounty Program steps in, not just as a measure of defense, but as a testament to our commitment to community collaboration and technological resilience. At the heart of this initiative is a substantial reward pool. We have earmarked up to 50,000 DOLA for critical vulnerabilities discovered within our systems. All rewards for the discovery of vulnerabilities will be made in USDC.
The concept of responsible publication is integral to our Bug Bounty Program. We adhere to a policy of 'notice required' for the disclosure of information from submitted bug reports. This policy is designed to strike a balance between transparency and security, ensuring that vulnerabilities are addressed effectively without undue public exposure that might compromise platform integrity.
In assessing the submissions, our approach is guided by the principle of 'Primacy of Impact'. This means that we focus on the potential impact of a vulnerability rather than just the specific asset involved. It’s an approach that encourages a comprehensive view of platform security, inviting reports on all impactful vulnerabilities and not just those tied to high-profile assets. This principle is pivotal in ensuring that our platform remains robust against a wide spectrum of potential threats.
To ensure that submissions are both credible and actionable, we require a Proof of Concept (PoC) for each reported bug. These PoCs must comply with Immunefi’s guidelines, providing a clear and demonstrable case of the vulnerability. This requirement is more than a procedural step; it's a quality control measure that helps us quickly assess, address, and remediate the issues.
We are also committed to providing Known Issue Assurance. This means that we will either disclose known issues publicly or address them through self-reported bug submissions. It's a commitment that reflects our transparency and helps to streamline the mediation process, ensuring objectivity and efficiency in how we address reported issues.
Previous audits and their findings play a crucial role in our Bounty Program. All completed audit reports are accessible on our website, providing a transparent record of our security journey. However, it’s important to note that vulnerabilities already identified in these audits are not eligible for additional rewards. This policy is in place to encourage fresh, forward-looking security research that builds on past learnings and strengthens our defenses against evolving threats.
Finally, we acknowledge that real-world feasibility can sometimes differ from theoretical vulnerabilities. Our program takes into account the practical aspects of executing an attack and the potential for mitigation measures when evaluating bug reports. This realistic approach ensures that our security measures are not just theoretically sound but are robust and effective in the practical, ever-evolving landscape of decentralized finance.
Stay tuned for more!