Increase the Immunefi Bug Bounties

Rocket Pool currently has a $100,000 bug bounty for critical exploits on immunefi.

I think we should consider raising this to $1,000,000 as our TVL has grown significantly since the bounty was originally created. These are funds that we most likely will never have to pay, but it would be money well spent if it prevents someone from black-hatting the protocol.

It would also have some publicity/marketing value in that prospective users will view the protocol as more secure if there’s a large bounty for critical exploits.

It might also make sense to increase the bounties for the less critical tiers proportionately.

10 Likes

Maybe we set forth a plan to increase the bounty on a set schedule? Like up the bounty to 200k and then rachet up to 500k, 750k, 1m, etc. semi-annually or annually and possibly on a different ramp speed, but it could give a sizeable increase to show how we plan to increase the bounty as we grow, but we’d also need provisions for deciding if we’re still under-bidding on the research (ie. where’s market equilibrium between bug hunters time and the amount the pool could afford to put into bug bounties per annum).

I agree with OP. While I don’t have much insight on the market equilibrium, I hope we can agree that the current bounty is insufficient. The protocol as it stands today has much more to lose from a critical vulnerability, than paying out $100k. We want to encourage folks that find bugs to go the whitehat route who would otherwise go blackhat. Just as a datapoint, Lido (who admittedly are much bigger than RPL, have two bounties on that site paying out max $2m)

2 Likes

Unfortunately, I think this would incentivize people that find vulnerabilities to wait until bounties are higher before disclosing.

that’s a good point. I think I was being a bit naive in thinking that people that search for vulnerabilities in OSS code for bug bounties wouldn’t try to hold off/wait to report until an increase.

Maybe there’s another way to incentivize users more and grow the bounty system at the same time without indirectly encouraging folks to wait on reporting larger vulnerabilities.

…what if we set it to some % rate of rewards per year? Like .001% of total RPL rewards per year? That way, it grows as the network grows? Then, if exhausting the funds, we can re-evaluate replinishment. Idk, I’m kind of spitballing ideas here.

I think you’re spot on though on the importance of it and needing to be sizable and competitive with the rest of the bug bounties.

One of the things overlooked by Rocket Pool is the company takes 0 fees from staking revenues. This is a double edged sword especially for an extremely decentralized protocol. It allows users to make the most from their validators, but doesn’t allow direct profit from users using rETH. The Rocket Pool dev team’s only source of income to increase the treasury at this time is the RPL inflation rewards from being an oDAO member. Rewards from being an oDAO member would be very big for an individual, but I’d consider it a drop in the ocean in comparison to other treasuries.

Obviously many of us would like to increase the bug bounty, but know that there is a limit to how much Rocket Pool might be able to payout, because it’s both small in size and takes a very long time to regenerate (especially if more oDAO members start coming online).

2 Likes

Hey @thomasg,

Totally agree that we need to raise the bug bounty. To support a streamlined payout we need to ensure that we have much of the bounty on hand (not all but a substantial amount). This means a little bit of treasury management our side (dev).

We will increase the bounty but in stages, to manage the treasury aspects. We won’t schedule the increases because we don’t want people waiting to submit bugs. The aim would be to get to the 1mil mark over time.

4 Likes

We have increased the bug bounty to $250k and will continue to increase it over time to $1mil.

6 Likes