In July 2021, Immunefi submitted a grant application to request funding and create a bug bounty matching program to incentivize whitehat disclosures for critical threats and prevent claimable events.
Now that the mutual has matched a $200,000 bounty for a critical vulnerability disclosure, members need to determine if the program should continue, receive additional funding, and if any adjustments should be made to the terms of the program.
In a previous Request for Comment (RFC) post, I provided a review of the program, outlined the benefits, and sought out comments from the community. Members will find the proposal below and an overview of the suggestions offered during the review period.
While the program started with a maximum cap on payouts at $200k, there is a cost effective benefit to incentivize critical disclosures for protocols with a certain level of active cover within the mutual. The proposed changes are included below and expanded upon further in the next section.
Increasing maximum cap on total payouts from $200k to $600k.
Whitelist any project with greater than $2m in active cover.
Adjust matching amount from $1 in matching for every $1 offered as a critical bug bounty (1:1) to $0.50 in matching for every $1 offered as a critical bug bounty (0.5:1) to incentivize projects to offer larger bug bounties.
This proposal seeks a renewal of the Immunefi Matching Bug Bounty Program with the following requirements and terms:
Projects with an active bug bounty program on Immunefi.
Provide matching for bug bounties with a critical threat level rating.
Cap maximum total payouts at $600k but allow matching up to $600k for projects with greater than $8m in active cover; for projects with active cover between $2m and $8m, the matching bounty will be capped at $200k per bounty payout.
Matching ratio will adjust from $1 in matching for every $1 offered as a critical bug bounty (1:1) to $0.50 in matching for every $1 offered as a critical bug bounty (0.5:1)–this will create a greater incentive for projects to increase the size of their critical bounty payouts, so long as there is demand for cover on Nexus Mutual.
Matching bug bounty payouts deliver cost effective value to members when the matching payout is less than potential claim payouts on a certain percentage of a project’s active cover amount.
Not all loss events lead to a 100% claim rate. While data on past claim events is thin, members can assume a matching bug bounty is most cost effective when estimated as a percentage of 10% to 40% of the active cover amount for a project.
After taking into consideration Hugh and Mitchell’s respective suggestions, I’m proposing we:
- Cap maximum payouts at $200k (or the remaining funding) for projects with active coverage in the $2m to $8m range; and
- Cap maximum payouts at $600k (or the remaining funding) for projects with greater than $8m in active coverage
A comparison of matching bounty payouts as stated above can be found in the Active Cover (as of 24 March 2022) Google Sheet; the comparison is between Columns M-to-R, which show the requirements above, and Columns E-to-K, which display matching bounties capped at $200k.
The terms above present the most cost effective benefit for members of the mutual; however, it does pose the challenge of communicating which projects are eligible based on the active coverage qualification. We would need to work with Immunefi to determine the best way to display/communicate the projects that are eligible for a matching payout; this will ensure we can provide a greater incentive for whitehats to review code for listed projects.
TL;DR: Proposal to renew would seek $600k in total funding to incentivize whitehat hackers in Immunefi’s community to review code for listed protocols participating in the program. Bug bounties create a marketplace for blockchain security analysts’ attention; the mutual benefits when a matching bounty is less costly than paying 10% to 40% (or greater) of current liabilities (active cover) made possible by exploitable flaws in design/code.
Members can read the review in the Immunefi Matching Bug Bounty Program Review | Request for Comment (RFC) forum post.
@hugh shared his thoughts on the potential cost savings–if members assume a 10%-40% claim rate on active cover (i.e., current liabilities). While data is thin, past loss events give us an indication that not all active cover policies are being utilized, which means the claim rate would likely be less than 100% of active cover on each platform.
Given this, members would benefit by adjusting the program to ensure protocols/platforms have enough active coverage to justify a matching bug bounty payout. Hugh suggested adjusting the requirements for the program as follows:
Protocols with active cover greater than $2m and an active bug bounty program on Immunefi
Matching would remain at the 1:1 matching rate, up to a maximum matching bounty of $200k per bounty payout
Maximum of $600k total in matching payouts (i.e., 3 total matching bounty payouts) before the program is reviewed and assessed for renewal
See the Active Cover (as of 24 March 2022) | Hugh’s Suggestions Google Sheet, which outlines the cost effective rate for protocols with a Matching Bug Bounty Program per Hugh’s comments.
@Mitchell_Amador also weighed in and highlighted the benefits of the program for both Immunefi and Nexus Mutual.
He also suggested expanding the program, with the following goals to drive more value for the mutual:
Encourage projects to launch bug bounty programs on Immunefi. Driving more projects to launch their bug bounty on Immunefi makes them eligible for the program and allows them to benefit from a community of 10,000+ blockchain security analysts, hackers who can review their code for flaws.
Make projects with significant liabilities eligible for the program. Projects with the largest amount of active cover pose the greatest risk to the mutual. Making projects eligible is a low cost and provides a cost effective use of funds.
Incentivizing projects to increase their bounties and make payouts more competitive within the market. More projects are trending toward a $1m+ critical bounty standard; adjusting the program to give protocols an incentive to increase their critical bug bounty payout, while ensuring a matching bounty is still cost effective for the mutual works for all parties involved.
Mitchell also suggested changing the matching ratio from 1:1 payouts to 0.5:1 payouts to give projects a greater incentive to offer higher payouts. He also offered the perspective that capping maximum payouts at $200k per bounty doesn’t serve the mutual’s interests.
Instead, he suggested matching 0.5:1 up to the $600k cap on total payouts. For example: paying out $525k for a critical vulnerability disclosure on Anchor Protocol would represent 7.42% of $7,080,225.97 (10% of active cover) and 1.85% of $28,320,903.86 (40% of active cover) respectively.
To quote Mitchell:
As to Hugh’s suggestion on capping the amount before another review, that seems wise to me, although I would suggest removing the cap per critical, since that does not serve the Mutual’s interests in driving disclosures (which is driven by bounty size). Pegging the maximum per critical to the total pool (as we did before) seems wiser, as it helps drive up bounty sizes (which does most of the work in incentivizing hackers).
Matching payouts are already derisked by their necessary review and sign-off by the Nexus Mutual team. If further de-risking is desired, I’d suggest cutting the matching rate (from 1:1 to 0.5:1 or something similar), rather than capping reward size, to encourage projects to assume more cost burden to receive these incentives.
Immunefi is the leading bug bounty and security services platform for DeFi, which features the world’s largest bounties. Immunefi guards over $100 billion in users’ funds across projects like Nexus Mutual, Chainlink, SushiSwap, PancakeSwap, Bancor, Cream Finance, Compound, Alchemix, Synthetix, and others. The company has paid out the most significant bug bounties in the software industry, amounting to over $10 million, and has pioneered the scaling DeFi bug bounties standard.
More than 300 protocols and products have been launched on Immunefi, as the de facto home of Web3 bug bounty programs, for an aggregated pool of $121m in critical bug bounties. Their community has 10,000+ registered blockchain security analysts and hackers on their platform. In aggregate, Immunefi disclosures prevented more than $23 billion in probable exploits.
Members can review past bug reports, war rooms, and whitehacks on Immunefi’s Medium.
The partnership with Immunefi provides a benefit for both of our communities, while serving our mission to protect more users on-chain. A use of funds from the DAO treasury (a.k.a., the Community Fund) should always deliver value or preserve value for the mutual. Granting $600k from the treasury would strengthen our partnership with a first-in-class blockchain security organization, while creating incentives for blockchain security analysts and hackers to review code for listed projects in order to discover flawed code that presents a critical threat before it can be exploited by a greyhat or blackhat; this preserves value for all NXM holders and active Risk Assessors.
After seven (7) days of review and discussion, this proposal will transition to a Snapshot vote, where the following choices will be presented to members of the mutual:
Option A: Renew the program; allocate $600k in total payouts; 0.5-to-1 matching payouts up to $600k for projects with active cover >$8m; 0.5-to-1 matching bounty payout up to $200k for projects with active cover between $2m to $8m.
Option B: Renew the program; allocate $600k in total payouts; 1-to-1 matching payouts up to $200k for projects with active cover >$2m
Option C: Do not renew the program; deny request for further funding