As part of our commitment to ensuring the security and reliability of Push Protocol and all its products, the Push DAO will like to implement the Push Protocol Bug Bounty Program. The first iteration of our bug bounty program was a pure vulnerability disclosure program without cash bounties. On this second iteration we want to start with a simple implementation and offer rewards to security researchers who identify and report vulnerabilities in our systems.
How the bug bounty program will work?
- Step 1: security researchers will submit their findings through an Official Form that will be published soon after this proposal is ratified
- Step 2: The Push Team designated to review security vulnerabilities will analyze the report and classify it according to severity (Low | Mid | High | Critical)
- Step 3: The Push team will follow up with the reporter with results in no more than 1 week.
Rewards
The Program includes the following 4 level severity scale:
- Critical Issues that could impact numerous users and have serious impact in the protocol functioning. An example would be preventing notifications and/or chat from being sent, or affectation to fees collected throughthe protocol.
- High Issues that impact individual users or businesses where exploitation would pose reputational other sorts of risks.
- Medium The risk is relatively small and does not pose a threat to business continuity.
- Low/Informational The issue does not pose an immediate risk but is relevant to security best practices.
Rewards will be given based on the above severity as well as the likelihood of the bug being triggered or exploited, to be determined at the sole discretion of the Push Protocol team.
Eligibility
To be eligible for a reward under this Program, you must:
- Discover a previously-unreported, non-public vulnerability that is not previously known by the team and within the scope of this Program.
- Be the first to disclose the unique vulnerability to the form that will be made available after this proposal is ratified, in compliance with the disclosure requirements.
- Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
- Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
- Not publicize a vulnerability in any way, other than through private reporting to us.
- Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of any of the assets in scope.
- Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
- Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
- Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.
- Not be one of our current or former employees, or a vendor or contractor who has been involved in the development of the code of the bug in question.
- Comply with all the eligibility requirements of the Program.
Token Allocation
We propose to allocate a total of 20,000 $PUSH tokens for a period of 3 months (1 epoch = 3 months).
20,000 $PUSH will be transferred upfront from Community Treasury to a DAO controlled wallet specifically created for the Bug Bounty Program. Any unallocated amount of PUSH by the end of the epoch would be sent back to the community treasury before starting a subsequent epoch.
Note: epoch $PUSH allocation might vary according to market conditions to ensure rewards are kept at a similar rate every epoch.
Conclusion
If the feedback from the community is affirmative, this proposal will be promoted to formal voting. If ratified the suggested $PUSH Token allocation will be used to manage offer rewards to security researchers who identify critical vulnerabilities affecting Push Protocol and its products.
This Governance Improvement Proposal aims to be fast tracked according to PIP- 08 Fast-tracking of PIP’s that get Immediate traction into Snapshot.
We believe that this program will help us to continue improving our security practices and provide a safer experience for users.