Bug Bounty Program

Patchy319 · December 12, 2021, 6:29pm

The security of our funds is important. Incentivizing white-hat hackers to review our system for vulnerabilities is one way we can contribute to our security. Obviously, we do this by offering them rewards specifically put aside for such discoveries.

If a pool of funds did not exist for this, security experts who discover a vulnerability might use the vulnerability for their own reward: instead of reporting it and receiving nothing in return.

We should put aside some portion of the treasury’s income towards these bug discoveries, in the form of MIM.
The reward should be based on the severity of the vulnerability and what funds it provides access to.
Perhaps we could do a max of $1,000,000 for really severe exploits that allow access to funds.
and $250,000 max for other exploits that don’t affect funds.

Additionally, we should commemorate and serve recommendation letters to individuals who have discovered vulnerabilities in TIME through our Bug Bounty Program.

Feel free to comment below your suggestions and comments
Perhaps a name for it?

James · December 12, 2021, 6:30pm

100% on board with this. We should get an audit too.

JoshuaRom · December 12, 2021, 6:59pm

I completely agree. This would create more confidence on the protocol. Besides, It’s always a good idea to support White Hat hackers. We all owe a lot to them.

pbrelin · December 12, 2021, 7:40pm

Yes, yes and yes. There is no use in being in the crypto space, build wealth only to see it go into the pockets of the most despicable and despised humans on the planet.

My understanding is that the OHM protocol was audited which would equate to Wonderland being indirectly audited. I also heard Wonderland is working on it’s own audit. Can anyone confirm that.

White hat funding is very important in this space.

Handerllon · December 12, 2021, 7:42pm

Not sure about the amounts payed out for vulnerability found, but totally agree in getting a bounty program for the project.

For reference, the usual max payout for issues such as RCE (Remote Code Execution, the worst of the issues in a classical site) is around $20.000.

Of course the amount of money being handled around a DeFi project is much different than a usual site. Numbers ranging from $20.000 to $200.000 sound more appropiate I think. That’s what I’ve seen in other DeFi bounty programs I’ve seen around.

malagacity · December 12, 2021, 8:05pm

100% agree with this proposal, the quantities might be too much but love the idea

Covey_Trower · December 13, 2021, 12:44am

I’ve already seen youtubers come out and say their Time has been hacked.

In my opinion, this should be a top priority to mitigate FUD and keep investors safe.

zoom · December 13, 2021, 12:51am

Great idea, important and could be implemented relatively quickly.

ccalax · December 13, 2021, 11:04pm

This is crucial, we need to implement asap something like this.
@Handerllon Totally agree with you, for me the payout should be in the range of 30.000 MIM to 350.000 MIM like other bug bounty programs (microsoft, google ecc.)

LC

klgnoob2021 · December 13, 2021, 11:31pm

100% Agree. With so many hacks happening, this should be a priority. It should always be a priority.

chip.ritchles · December 14, 2021, 2:56pm

they’ve been “hacked” because of their own bad security protocols…nothing related to WL or it’s code

0xHedgehog · December 14, 2021, 6:45pm

Already started: Wonderland – Paladin Blockchain Security

0xHedgehog · December 14, 2021, 6:49pm

Considering that this is crypto, I would propose that the bounty should be tiered based on severity.

If it’s a “empty the treasury” kind of vulnerability, I would argue that we should have a percent of the treasury as the reward (pending a community Snapshot vote to award the bounty). Otherwise, I think 30.000 MIM - 350.000 MIM is reasonable so long as it’s scaled based on severity.

sneakerwars · December 15, 2021, 4:53am

I propose $100K minimum and $5M for big exploits to encourage good programmers. Paying well encourages and retains the top developers and this is a strategy used in big tech FANG.

@Patchy319 How do you propose bug submissions?
Perhaps encouragement to develop defi apps with wonderland with big payouts?

Corum · December 16, 2021, 7:08am

Has anyone got an idea how this it done on Popsicle?

Patchy319 · December 17, 2021, 2:21pm

Bug Bounty Program RFC has been submitted and is currently pending mod approval.

GREED · December 22, 2021, 2:06am

Listen i agree with this stuff bte the amount your sugesting is insane and will atract bad people very fast we want the withe hats yes bte if we do this all the bug bounty comunity will start talking about this is good in a way bte to much attention will lead to bad stuff especialy wen it commes to bug bountys and hackers its just a point of view

note : i just got bited by a spider for some reason will tryping this if i die well shit its to bad i gues any ways sorry for my bad english

GREED · December 22, 2021, 2:09am

i dont get it allot bte i suggest we get our own team of hackers To do this stuff and they must be knowen because if they found a sever bug its the crypto world who told you there not going to take it all

Skrilla · December 22, 2021, 3:29am

Great idea, Sounds like a cheap way to stay secure rather then loosing everything.

WonderlandTeam · January 18, 2022, 5:52pm