Read the FiRM Whitepaper!
Written by @Crypterist @Nakamomo
Background & Problem
Bugs are an inevitable part of developing new software products. Today, Inverse relies on internal and volunteer members of the DAO for software development; however, our internal quality assurance processes should also include a way to leverage the skills/resources from contributors who specialize in looking for security-related bugs. Keeping this QA process in-house also carries a high opportunity cost within our engineering team and regardless would require recruiting/ building specialized capability. One crypto industry norm is to offer incentives to appeal to whitehat code testers in order to encourage them to test Inverse’s smart contracts and other code for security and other vulnerabilities.
Bug Bounty Incentive Programs
A common solution to “bulletproofing” smart contracts and other open source software for crypto DAO’s is a bug bounty program. Any bounty hunter is one who studies our code and business from an adversarial perspective and can make use of their own tools and techniques to identify vulnerabilities in the lookout for a reward or a bounty.. 3rd party platforms offer secure bug reporting processes (eg. Immunefi.com takes a 10% fee). Size of the rewards are based on the bounty's vulnerability risk rank.
Benefits Of A Bug Bounty Program
Identify security-related bugs in a collaborative/friendly manner with white hat researchers Highlights Inverse’s commitment to both security and transparency “Checks a box” for partner and investor due diligence As we aspire to grow to a business 1 Billion DOLA in circulation in 2022, emphasizing our commitment to mitigating risk is of paramount importance.
Costs of a Bug Bounty Program
Bug bounty rewards vary across DAOs. For example:
Bug Severity Examples:
Following 2 links give helpful information on Risk Rating and Severity Ranking of Vulnerabilities. https://owasp.org/www-community/OWASP_Risk_Rating_Methodology https://immunefi.com/severity-updated/
Managing a Bug Bounty Program
There are 3 Goals for this proposal.
We will employ a 3rd party vendor for bug bounty services with the following reward rate guidelines:
|Severity||:Critical (DAO vote):||:High:||Medium:|
We consider bug bounties to be a lasting complement to any in-house security audit capabilities that Inverse Finance develops.
We request an allowance of up to $25,000 DOLA in 2022 for low or medium-severity bug bounties using an allowance for a SecOps multisig wallet. Rewards for high or critical severity bugs will require a separate funding mechanism (e.g. from Treasury reserves) that would be requested on a case-by-case basis and which would require a GovMills vote. Payout to white hats and vendors will be documented as Security Advisory Services to ensure that we don’t signal information of any adversarial attacks to malicious actors.
List of Smart Contracts Eligible for Bug Bounty Program:
Other applications eligible:
Items that are explicitly excluded from the bug bounty program:
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
Members allowed to make Drafts can sign the fact that they reviewed the Draft Proposal
Inverse is building a suite of DeFi tools. Everything we do is a community effort, which means you too can participate in the decision-making process. Join us!