Thank you everyone for your feedback and support! Glad especially to get Aave Companies, BGD, and ACI support here.
Regarding the reward amounts, we think that defining them before the scoping stage is quite complicated, as the distribution of vulnerabilities’ impact in the range critical-to-low is not uniform at all: for multiple potential attack vectors on a system like Aave, the impact in terms of funds at risk is usually or really low, or putting in danger the majority of the protocols’ TVL; not so much in the middle.
Following that reasoning, we would advocate for more granularity, going slightly higher on the really critical problems, and most probably raising the amounts on the low criticality levels too. This, of course, belongs to the scope-definition phase, if the community signals positively on initiating a program with Immunify.
Sure, we would be happy to modify the proposal to have everything “up to” for now and then we can work on the granularity later on once scoping is worked out more.
Regarding the engagement between Immunify and the Aave DAO, we think it is mandatory for the service provider/intermediary (Immunify) to adapt to the morphology of the DAO. For example in terms of payments: fully decentralized and coming from smart contracts controlled by the Aave governance.
The Aave governance should just approve a budget in terms of allowance for bounties, that afterward would be used for independent payouts. The funds to be used belong to the protocol’s Collector, so it should not be the responsibility of service providers like BGD to manage them anyhow, only advising and confirming when submissions deserve a payout.
Yes, this is completely fine with us at Immunefi.
Would it be possible for the DAO to use any kind of asset for the payout including AAVE from the Ecosystem Reserve? It just feels appropriate to, at least partially, give governance to security researchers helping secure the protocol.
Yes, we could use AAVE as well in addition to stablecoins that are held in the treasury. However, the reward amounts just need to be displayed in USD terms on our platform. The bug bounty program itself can have wording that defines what the conversion rate would be.