Implement Push Protocol's Bug Bounty Program v1.0

As part of our commitment to ensuring the security and reliability of Push Protocol and all its products, the Push DAO will like to implement the Push Protocol Bug Bounty Program. The first iteration of our bug bounty program was a pure vulnerability disclosure program without cash bounties. On this second iteration we want to start with a simple implementation and offer rewards to security researchers who identify and report vulnerabilities in our systems.

How the bug bounty program will work?

  • Step 1: security researchers will submit their findings through an Official Form that will be published soon after this proposal is ratified
  • Step 2: The Push Team designated to review security vulnerabilities will analyze the report and classify it according to severity (Low | Mid | High | Critical)
  • Step 3: The Push team will follow up with the reporter with results in no more than 1 week.

Rewards

The Program includes the following 4 level severity scale:

  • Critical Issues that could impact numerous users and have serious impact in the protocol functioning. An example would be preventing notifications and/or chat from being sent, or affectation to fees collected throughthe protocol.
  • High Issues that impact individual users or businesses where exploitation would pose reputational other sorts of risks.
  • Medium The risk is relatively small and does not pose a threat to business continuity.
  • Low/Informational The issue does not pose an immediate risk but is relevant to security best practices.

Rewards will be given based on the above severity as well as the likelihood of the bug being triggered or exploited, to be determined at the sole discretion of the Push Protocol team.

Eligibility

To be eligible for a reward under this Program, you must:

  • Discover a previously-unreported, non-public vulnerability that is not previously known by the team and within the scope of this Program.
  • Be the first to disclose the unique vulnerability to the form that will be made available after this proposal is ratified, in compliance with the disclosure requirements.
  • Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
  • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
  • Not publicize a vulnerability in any way, other than through private reporting to us.
  • Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of any of the assets in scope.
  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
  • Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
  • Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.
  • Not be one of our current or former employees, or a vendor or contractor who has been involved in the development of the code of the bug in question.
  • Comply with all the eligibility requirements of the Program.

Token Allocation

We propose to allocate a total of 20,000 $PUSH tokens for a period of 3 months (1 epoch = 3 months).

20,000 $PUSH will be transferred upfront from Community Treasury to a DAO controlled wallet specifically created for the Bug Bounty Program. Any unallocated amount of PUSH by the end of the epoch would be sent back to the community treasury before starting a subsequent epoch.

Note: epoch $PUSH allocation might vary according to market conditions to ensure rewards are kept at a similar rate every epoch.

Conclusion

If the feedback from the community is affirmative, this proposal will be promoted to formal voting. If ratified the suggested $PUSH Token allocation will be used to manage offer rewards to security researchers who identify critical vulnerabilities affecting Push Protocol and its products.

This Governance Improvement Proposal aims to be fast tracked according to PIP- 08 Fast-tracking of PIP’s that get Immediate traction into Snapshot.

We believe that this program will help us to continue improving our security practices and provide a safer experience for users.

8 Likes

This is a win-win deal for both the protocol and the community. Totally in favour of this proposal. :raised_hands:

I’m in total support of this proposal !!

Amazing, In favor of this one

In favor of this proposal. This proposal will open more involvement opportunities for the community

Fully support bug bounty programs as they help strengthen project’s security

I support this bug bounty because it incentives the community to build toward the protocol. This is a wonderful idea that our community members have been asking for a while!

I support this proposal. This proposal can improve the security and reliability of Push Protocol.

This proposal has met the requirements to be fast-tracked according to PIP-08, and has been promoted to snapshot for voting for a period of 3 days.

Entered into snapshot with ID: PGIP-5

Snapshot Proposal URL:
PGIP-5: Implement Push Bug Bounty Program Proposal in snapshot

Voting starts: 21/03/2023 at 02:00 AM UTC
Voting Ends: 24/03/2023 at 02:00 AM UTC

The Push DAO has ratified the proposal to Implement Push Protocol’s Bug Bounty program with 100% votes in favor.

https://snapshot.org/#/pushdao.eth/proposal/0xecb6bed163934dbf3f77707e5ec013fd055f589210103b2e4b3e8a9d605ba632

The program will kick-off this same week, and details will be shared across our social channels.