Please can you detail what kind of coverage, scope, bugs, or potential exploits you think we should include as an L1/L2? Do you have detailed definitions for these that we could use?
- Stealing or loss of funds
- Unauthorized transaction
- Transaction manipulation
- Price manipulation
- Fee payment bypass
- Balance manipulation
- Contracts execution flows
- Consensus flaws
- Peer-to-peer network flaws
- Cryptographic flaws
Please could you outline your recommendation on how we would structure the bounties? E.g. how are severities defined, and how do we define which bugs deserve what level of payout?
We usually advise that a critical bug bounty should be up to 10% of the TVL (as all could be stolen/controlled in this case).
Low issues could be just a few k while medium could be something in the range of 5-20k.
What happens in case a highly critical / zero day/crisis level bug is discovered and requires urgent attention? Do you have resources in place to quickly escalate this and report this to us for swift resolution?
We exchange personal contact details with lead devs. Furthermore, we have real-time alert systems in place for email & TG contact.
We are in discussions with a few others, but it takes some time to agree on terms. Our bug bounty feature was just recently developed, and legal contracts were drafted. It is your chance to be one of the first bounties, and therefore, outstanding will be much easier.