Present to the community the bug bounty program created in collaboration with Immunefi, to be approved by the Aave Governance.
Aave bug bounty program
Following the pre-approval of the community on Snapshot and the discussion on the previous governance forum thread we have been collaborating with Immunefi in order to define the specifics of a bug bounty program adapted to Aave’s needs.
All the details can be found on the program draft HERE (draft as it requires full on-chain governance approval), but the most important points are the following:
Bug bounty program for the Aave DAO ran in the Immunefi platform.
Through his role as a service provider of the DAO, BGD will be in charge of review and decision-making regarding bounty submissions, more precisely in the following items: Aave v2, Aave v3, Aave Governance v2, and Aave Safety Module.
Given their involvement in developing GHO, @AaveLabs (props for initiating the conversation with Immunefi at the start of the project) will be in charge of review and decision-making regarding GHO, with review support from BGD.
The program will be ongoing until the Aave Governance signals to stop it. Evaluation of submissions is dependent on the agreement with the service provider of the DAO in charge (in this case, ourselves, BGD). At the moment, our successfully approved Aave <> BGD Phase 2 will cover this for the following 6 months (from 04/08/2023).
Standard Immunefi bug submission procedural terms (e.g. PoC guidelines), but customized Threats Definition, adapted to Aave’s needs.
Payments are to be done directly by Aave governance proposals, in stablecoins or AAVE (30 days USD price average), or a mix of them. BGD will create a governance proposal for the community to provide feedback on the currency criteria.
Systems covered:
Aave v2 (critical and high vulnerabilities for Aave v2 Ethereum, only critical for other networks, in the process of migration).
Aave v3.
Aave Safety Module.
Aave Governance v2.
GHO stablecoin.
Additional Aave official systems will be added once live, if deemed reasonable the technical service providers of Aave.
Payout ranges (details and conditions on full document):
Critical: $50’000 to $1’000’000.
High: $10’000 to $75’000.
Medium: $10’000.
Low: $1’000.
To not create governance overload, bug bounty payouts via governance proposal will be batched with a minimum frequency of once a month.
The Immunefi fee is the standard 10% on top of each bug bounty payout.
Official and Former Official Contributors (as defined on the bug bounty document) are not eligible for bounty.
Generally, no KYC requirements, but the reviewer reserves the right to apply mechanisms to avoid submissions by Official Contributors, on high and critical reports.
Once approved, BGD will be able to modify technical aspects of the program to keep it updated, while not creating governance overhead. But any fundamental aspect (like payout size), will need to be approved via governance.
Next steps
After some days to gather feedback from the community, as technical service providers to Aave, we will submit a proposal on behalf of Immunefi, which will factually activate the program, if approved.
However, would it not be better to work with a decentralized/onchain protocol like Hats Finance instead of ImmuneFi (Web2 company)? I believe that working with Web3 protocols should align with the decentralization ethos of Aave.
Imho it doesn’t matter if its web2 or web3. Here it is about security and if ImmuneFi has proven itself to be a really good platform we should stick to it.
Sometimes we are talking about web3 and how important it is and so on but just forget what the main goal is. And in this case security.
I believe that we should talk the talk and walk the walk.
This is 100% right but it implies that ImmuneFi is better than Hats Finance and I dont think so. If you have any supportive arguements, happy to discuss fren.
I didn’t say immunefi is better. Your argument was we should take hats finance because of web3 ethos. But didn’t mention why they are a better fit.
I just said, stick to immunefi without mentioning anything.
If you think hats finance is a good choice, prove it by showing strong arguments.
Immunefi could be strong as they are well known and have been used in the past several times for several projects. I cannot say more than that.
Sure! Firstly, Hats Finance has an encrypted communication feature for security researchers and project teams and therefore nobody (including the Hats team) can see the vulnerability report. There is no third party risk as in the case of Immunefi.
Secondly, bug bounty vaults on Hats Finance are open to everybody. Accordingly, investors, DAO members, community members, etc. can deposit to the vault and top up the bounty amount (make it more incentivizing for security researchers).
Thirdly, Hats Finance is on-chain and therefore the submissions require a transaction fee. This fee itself is acting as a spam filter but if deemed not enough, Aave can increase the fee to submit a report to create a paywall (to increase the efficiency of spam filter). This is very important because its widely known that some web2 bug bounty companies are paying some security researchers to submit reports (to sell triage service to the projects).
Fourthly, Aave DAO can potentially farm $HAT tokens (after TGE) with its bug bounty vault.
Fifthly, there is not any monthly/quarterly/yearly fee to host the bug bounty program on Hats.
Sixthly Hats Finance, as a decentralized protocol, is anon-friendly. Considering the fact that white hatting might be troublesome in some countries and some white hats are very sensitive about their privacy, Hats has the capability to target more security researchers.
These are the preliminary issues that come to my mind now :)
The Aave <> Immunefi program was already discussed and approved on a temp check Snapshot by the community HERE.
This implies that we (BGD Labs), as a service provider, have already been working with the Immunefi team to define the scope and all the details of the bug bounty. Having an alternative platform can be an option in the future, but operationally, this is not something the community should do at this stage, as it would mean re-start evaluation/setup procedures almost from scratch.
Hey @bgdlabs! Thanks a lot for taking the time to reflect.
Hats Finance is not a Web2 company but a native on-chain/permissionless Web3 project. Accordingly, you will not be required to sign hundres of pages of papers. It takes less than 30 mins to set up and run the bug bounty vault on Hats protocol. So, i am of the opinion that it will be extremely easy for you to deploy on Hats protocol if you deem it fit.
We have published Aave governance proposal 325, which will act as explicit approval from the Aave DAO to activate the Aave <> Immunefi bug bounty program.
As described in the AIP text, the exact activation date will depend on the completion of all the setup on the Immunefi platform, but targeting days after the proposal approval by the community.
I agree that security should be amongst the most major of concern. That said, the idea of utilizing the services of a 3rd party when it could be a white-hats-only operation, isn’t a safe method.
Mediation is needed? Or is more convenient? I agree that it can be helpful to outsource certain operations, but too many hands in the pot creates an environment from which one has to “trust”.
I respect a lot BGD work so from my point of view their opinion should be final, however a lot of whitehats feel that they need a 3rd party in order to fell that their findings and bounties are fair. I never thought about doing everything in-house but could make sense, however I also think that immunefi is a place to go to see if the protocol has bounties without having to scroll on the forums of governance.
