An enacted binding governance proposal authored by Nacho moves the financial responsibility of the bug bounty program to the Decentraland DAO, while operational responsibility rests with the Decentraland Foundation.
In layman’s terms, the Decentraland Foundation responds and prioritizes the response order to disclosures, and the DAO covers the reward and openly publishes the payment in the name of greater transparency.
Bug bounty programs have seen incredible success within the crypto space. They invite white hat hackers- ethical security hackers who seek to identify vulnerabilities before they can be exploited- to examine contracts for weaknesses. Exploits cost the space billions of dollars in 2022, and having bug bounties helps prevent a project from falling into ruin due to a defect in the smart contract.
The Decentraland DAO owns the smart contracts and leads the development of the Decentraland protocol; hence having an effective bug bounty program naturally aligns with its goals.
This proposal came from the Security Advisory Board (SAB)- five solidity experts selected by the Decentraland development team. The motivation for keeping operational responsibility with the Decentraland Foundation is their ability to react quickly outclasses the DAO’s ability, and when it comes to potential exploits, speed is essential.
The bounty tier is as follows:
High Up to USD 500 000
Medium Up to USD 20 000
Low USD 1 000
Websites and Applications
Critical USD 18 000
High USD 6 000
Medium USD 3 000
Low USD 1 000
This proposal aims to keep Decentraland secure, and security will always be a cost of successful operation, specifically in Web3.
Decentraland DAO member ckbubbles voiced curiosity as to why the proposal was a governance proposal and not a grant proposal:
Before this gets passed — I would like to call attention to this being a governance proposal and not a grant proposal, meaning once it is approved, it is binding forever, as I understand. I am curious to know the allocation of funds and if there are caps per year?
Proposal author Nacho responded broadly stating that the DAO can alter its decision and implement a change:
The DAO won’t be forced to pay rewards if they consider that the treasury is being compromised. It is hard to estimate how many reports are we going to have and pay but we are conscious that every development must be audited until goes to production. I think that if we start having too many valid reports per day, we will need to slow down the development and improve the quality. How can we mitigate this? I believe that the DAO will stop sending the funds and raise its voice to have a better development process.
Overarchingly the DAO taking on financial responsibility for bounties marks an advancement for the overall security of Decentraland and the transparency of the reward program, clearly welcomed by all DAO members as this proposal passed unanimously. Also, as mentioned by Nacho, the funding outflow to bounties will give developers a better gauge of their progress.