PTIP-78
Protocol security bounties
This proposal formalizes the security bounty program paid by the protocol. Furthermore it authorizes PoolTogether Inc as the current acting authority for approving protocol security bounties.
Motivation
Maintaining a perfect security record.
Overview
Before the issuance of the POOL token, PoolTogether Inc established a bug bounty program for the smart contracts making up the protocol. PoolTogether Inc paid out one bounty that met the guidelines established by it.
The bug bounty program continues to exist today but there was never a decision to clarify what entity is responsible for paying the bug bounties post decentralization – PoolTogether Inc or the protocol?
The purpose of this post and vote is to clarify this.
Since the bug bounties are exclusively for the smart contracts that represent the protocol. PoolTogether Inc’s suggestion is that they should be paid for by the protocol (similar to how auditing is). For the time being, PoolTogether Inc can continue to be the vetting point for bug reports.
Our second suggestion is that the grant’s team funds be used to payout the bug bounties. This is primarily because a rapid payout is important to satisfy and incentive more security researchers. It doesn’t make practical sense to do a vote for each bug bounty submitted. Additionally, the frequency of bounty payout is highly varied (we have gone previously gone 1.5 years with no valid bounties submitted).
Specification
- Formally establish protocol ownership of the bug bounty program for smart contracts
- Authorize PoolTogether Inc has the approving authority for reported bug bounties
- Authorize grants committee to payout bug bounties approved
Status
Since this vote does not result in any on-chain action. A snapshot vote has been setup. The same standard requirements will apply (100k quorum & majority in favor).