YIP YAM Bug Bounty Program

YAM Bug Bounty Program

Basic Summary
In addition to the completed and potential future audits, we would like to set up a community bug bounty forum to get more eyes on the code and increase security.

Abstract
While audits offer a base level of confidence in a protocol, history has shown time and again that they are by no means a guarantee of security and the additional scrutiny of community members can uncover missed vulnerabilities. We propose to use Gitcoin Grant audit and potentially treasury funds to sponsor a bug bounty program for the YAM protocol. Rewards will be tiered based on severity of issue disclosed.

Motivation
Make Yam more secure.

Specifications
Rewards will be based on the CVSS (Common Vulnerability Scoring Standard) but ultimately subject to tokenholder vote. In the event of a vulnerability disclosure, an emergency proposal will be sent immediately for on-chain governance execution, skipping the typical forum and off-chain steps in the process in order to expedite the fix. Such a proposal would include both the fix and reward to the discoverer of the vulnerability.

Funding of the bug bounty will first come from the Gitcoin Grants audit fund, though once this has been depleted, future funding will be sourced from the treasury.

Rewards will be scaled according to the severity of the bug.

Critical - Max Reward
High - 50% of Max Reward
Medium - 20% of Max Reward
Low - 5% of Max Reward

Poll to Measure Sentiment

What should the Max Reward for the bug bounty be?

  • $50,000
  • $40,000
  • $30,000
  • $20,000
  • $10,000

0 voters

$50k is insignificant compared to a critical exploit. Happy to pay the max here.

Hello sir,

Where should report a vulnerability ?

Hello @scianto you can send it to me on Telegram or by Email.