Bug Bounty Q&A
The following questions will help you understand our service offering. If you cannot find an answer to your question, please contact us at hello@auditone.io.
Background Information.
Please can you share an overview of you and your bug bounty program?
AuditOne is a decentralized community of 400+ white hat hackers/auditors who would be offered a bounty for identified bugs/vulnerabilities.
Bounty Location
Coverage & Scope
Please can you detail what kind of coverage, scope, bugs, or potential exploits you think we should include as an L1/L2? Do you have detailed definitions for these that we could use?
- Stealing or loss of funds
- Unauthorized transaction
- Transaction manipulation
- Price manipulation
- Fee payment bypass
- Balance manipulation
- Contracts execution flows
- Consensus flaws
- Peer-to-peer network flaws
- Cryptographic flaws
Recommended Bounties
Please could you outline your recommendation on how we would structure the bounties? E.g. how are severities defined, and how do we define which bugs deserve what level of payout?
We usually advise that a critical bug bounty should be up to 10% of the TVL (as all could be stolen/controlled in this case).
Low issues could be just a few k while medium could be something in the range of 5-20k.
Commercials
Any fees for % of bounties paid out?
Only a 5% fee on payout (and paid by the auditor from the bug bounty reward). No other fees.
Bug Validation, Reporting & Screening
Whatβs the process for validating whether a bug is real and/or true?
We screen them initially. If they are no spam, alerts will be sent to assigned devs on your side. We can also assess and triage them, but this would cost on a monthly base TBD.
Can you please describe how bugs would be reported to us and/or screened by you (if relevant)?
We screen them initially. If they are no spam, alerts will be sent to assigned devs on your side. We can also assess and triage them, but this would cost on a monthly base TBD.
What happens in case a highly critical / zero day/crisis level bug is discovered and requires urgent attention? Do you have resources in place to quickly escalate this and report this to us for swift resolution?
We exchange personal contact details with lead devs. Furthermore, we have real-time alert systems in place for email & TG contact.
How are reports kept confidential so they cannot be exploited by others?
We have a proper user management system in our app, and we can share reports only within trusted systems.
Legal & Arbitration
Please can you describe the process for how the bug bounty program would be legally structured?
For the beginning it just on paper and you will pay them directly.
What if thereβs a dispute? How would this work?
In terms of arbitration, there will be a committee of 5 members, 2 from AuditOne, 2 from your team, and 1 from Kleros.io.
How do you structure things legally with the white hat hackers?
They agree to the T&C on our platform.
Payouts
Is this in USD and/or stablecoin? Would it be in tokens rebased to USD value?
The most attractive way to offer bounties is by using stable-coins. It is also fine to use tokens according to pre-defined USD values.
Do you require any funds to be placed in escrow?
We are developing coverage and escrow pools that can or will be used at a later stage. For now this is not required.
Do you pay the bounty or do we? If so, how is KYC handled?
We do KYC with the auditors / bounty hunters. How the payment process is handled, can be customized to your needs.
Ecosystem, Reach & Credentials
Please can you describe your ecosystem? E.g., how many active white hat hackers do you have? How experienced are they?
More than 380 auditors (300+ proficient in Solidity, 50+ proficient in Rust, many pen-testers or from traditional security backgrounds).
How many bounties have you posted and/or paid out in the past? Whatβs the monetary value of this?
We are in discussions with a few others, but it takes some time to agree on terms. Our bug bounty feature was just recently developed, and legal contracts were drafted. It is your chance to be one of the first bounties, and therefore, outstanding will be much easier.
Differentiation
Last updated