[TEMP CHECK] Aave Bug Bounty Program on Immunefi

Thanks for the proposal @TravinImmunefi ! We think an updated bug bounty program is something the Aave protocol really needs to be up to the industry standards.

Given that we have not been in much direct contact with Immunify on this topic, we would like to present some feedback regarding the proposal:

  • Regarding the reward amounts, we think that defining them before the scoping stage is quite complicated, as the distribution of vulnerabilities’ impact in the range critical-to-low is not uniform at all: for multiple potential attack vectors on a system like Aave, the impact in terms of funds at risk is usually or really low, or putting in danger the majority of the protocols’ TVL; not so much in the middle.

    Following that reasoning, we would advocate for more granularity, going slightly higher on the really critical problems, and most probably raising the amounts on the low criticality levels too.
    This, of course, belongs to the scope-definition phase, if the community signals positively on initiating a program with Immunify.

  • Regarding our collaboration, part of our service scope to the DAO is to coordinate with other service providers and initiatives in the security field, quite related to development. So happy to participate on this.
    That being said, BGD is a completely independent entity with respect to Aave Companies, and even if we of course coordinate different projects touching the Aave DAO, we have pretty different approaches, policies, and expertise.
    We are not willing to have any kind of joint role regarding the Bug Bounty program, because we consider we have more appropriate expertise for it, and operationally, we don’t want to add overhead on stages like submission evaluation, or scope definition.
    This means we can participate, but as the sole entity with full decision power over the outcome of submissions.
    Nevertheless, we would like to highlight that we have not participated in the development of GHO, so for specifically that project, we think Aave Companies is a more suitable entity to define the scope and evaluate submissions.

  • Regarding the engagement between Immunify and the Aave DAO, we think it is mandatory for the service provider/intermediary (Immunify) to adapt to the morphology of the DAO. For example in terms of payments: fully decentralized and coming from smart contracts controlled by the Aave governance.
    The Aave governance should just approve a budget in terms of allowance for bounties, that afterward would be used for independent payouts. The funds to be used belong to the protocol’s Collector, so it should not be the responsibility of service providers like BGD to manage them anyhow, only advising and confirming when submissions deserve a payout.

  • Would it be possible for the DAO to use any kind of asset for the payout including AAVE from the Ecosystem Reserve? It just feels appropriate to, at least partially, give governance to security researchers helping secure the protocol.

We hope to see/help to move this forward!