Thank you for the detailed proposal, @Fav_truffe.
Existing Bug Bounty Program
The Nexus Foundation currently manages the bug bounty program through Immunefi, and the Foundation is happy with the current program on Immunefi. The program on Immunefi doesn’t require KYC and the bug bounties are paid out in USDC.
This bug bounty program is outlined on Immunefi and in our documentation, as well.
Past Hats Finance Proposals
In 2021, Hats Finance presented a proposal to the Nexus Mutual DAO and members about starting a bug bounty program: Nexus Mutual Community <> Hats collaboration: Next Steps
This proposal was put up to a Snapshot vote and 90.4% of members who participated voted No on the proposal.
I know you also shared a proposal in April 2022, but previously, no one responded to that post on the forum.
Follow Up Questions Regarding your RFC Proposal
If this proposal were to move beyond the Request for Comment stage, it would need to request a separate bug bounty program be created using funding from the DAO treasury and the amount would need to be specified in the proposal, as well. However, I think it’s unlikely to receive support from members given the outcome of past votes on this subject.
On some of the additional advantages you point out in your proposal:
Can you provide some data on this point? I know Immunefi has a large security community with thousands of whitehats active on their platform. I’d be curious what the stats are for Hats Finance to date.
If Nexus Mutual were to provide the protocol’s native token NXM to a vault on Hats, then the vault contract and anyone who submits a bug bounty would be subject to KYC, given only members of the mutual who have gone through KYC and hold NXM. To date, bug bounty payouts through Immunefi have worked well for the Foundation.
If a yield-bearing token were provided, it would open the bounty funds up to additional smart contract risk, which I don’t believe members would be a fan of given the potential yield would only be in the realm of 3-8%.
This seems like a drawback from the existing program the Foundation runs on Immunefi, as a researcher would have to wait to get paid over time, thus misaligning incentives somewhat.
I’m glad to see more protocols offering audit competitions, but I feel as though this is out of scope for the current proposal, given you’re advocating for the creation of a bug bounty program on Hats Finance.
At this point, I’m not seeing an obvious benefit of running two bug bounty programs simultaneously.