Hello Sovryn community!
I’m Travin Keith, Co-Founder and COO of Immunefi, a bug bounty platform focused around crypto aimed at preventing catastrophic hacks by setting up bug bounty programs that encourage white hat hackers to look through the code as well as economically incentivize black hat hackers to disclose vulnerabilities instead of exploiting them. Over the past few weeks, I’ve been in discussions with the Sovryn team, namely yago and light, about the creation of a bug bounty program for Sovryn. With their help, I’m happy to present to you our draft for SIP-0008 - [DRAFT] SIP-0008 - Sovryn Bug Bounty Program on Immunefi - Google Docs
We have two things we’d like feedback on from the community, highlighted in yellow on the document:
We were considering having the bonuses paid out in SOV in relation to the BTC value. We thought that this would be a great way to encourage very skilled white hat hackers to continue being a part of the Sovryn community. We could also have the bonus payout have a vesting period of a few months in this case for critical bugs to address market liquidity concerns, perhaps scaling down as well depending on the bonus applied.
We thought that the easter egg idea would be a nice fun way to encourage people to look through the code, but at the same time not feel like they wasted time if they didn’t find anything worth reporting. The rewards would be unique NFTs however, and not BTC or SOV. However, we also don’t want to flood the ecosystem with too many of these, so we wanted to hear from you on how many of these you think would be good.
We had some discussions about whether to have the bug bounty payouts pegged to BTC or a set USD amount, but given that the treasury is in BTC, we thought that this would be best since the request for funds to be allocated for the bug bounty payouts was quite large and attempting to forecast values even over a year would be too difficult. In any case, we feel that this is fine as the value of the Sovryn code increases as the value of BTC increases as well.
To clarify something with the Total Funds Requested section, we are only asking for a commitment of 6 months for our premium bug report triaging and management service because the current fee structure is experimental, and this might end up being a loss for us in the future. We understand the need to plan ahead though, so we are happy to commit to this for now, and will re-evaluate shortly before the 6 months are over and create another SIP, or continue on if there are still funds remaining that can cover our new rate.
Thank you everyone for your time. I look forward to hearing your thoughts!