diff --git a/MIP106/MIP106.md b/MIP106/MIP106.md index 52482ac18..ebcf01ba5 100644 --- a/MIP106/MIP106.md +++ b/MIP106/MIP106.md @@ -1478,15 +1478,15 @@ The Purpose Fund will directly allocate 33,333 MKR from the Pause Proxy MKR rese This section specifies the budget and processes of a bug bounty program, which serves to protect the Maker Protocol and its users from hacks and exploits. The MakerDAO Bug Bounty Program is conducted on the Immunefi platform. -#### Introduction +#### 13.1.1: Introduction As one of the most important DeFi protocols with a high TVL, the Maker Protocol is a honeypot for hackers and other nefarious actors. Due to this fact, the Maker Protocol should always be covered under an active bug bounty program. The program aims to create incentives for hackers to contribute to the resilience of the Maker Protocol as opposed to exploiting vulnerabilties for personal gain. The setup and operations of the bug bounty program is based on the standard set by Immunefi, which is the party responsible for conducting the bug bounty program. Besides a bug bounty program for the Maker Protocol, another bug bounty program should be maintained for SparkLend until the launch of the Spark SubDAO. -#### Scope +#### 13.1.2: Scope -##### Assets to be covered +##### 13.1.2.1: Assets to be Covered The assets considered as in-scope of the bug bounty program will be those that are identified as critical infrastructure to the Maker ecosystem. The scope of assets accepted for this Bug Bounty Program is specified on the MakerDAO listing of the Immunefi platform, [which can be found here](https://immunefi.com/bounty/makerdao/). Assets in scope include smart contracts and frontend applications, data infrastructure and oracles. @@ -1494,11 +1494,11 @@ The scope of assets accepted for this Bug Bounty Program is specified on the Mak For SparkLend, the scope of assets for the Bug Bounty Program is specified on the Spark Lend listing of the Immunefi platform, [which can be found here](https://immunefi.com/bounty/sparklend/). For SparkLend the scope only includes smart contracts. The scope Facilitator is responsible for coordinating with the relevant stakeholders to define and maintain this list of assets. -##### Severity Classification +##### 13.1.2.2: Severity Classification The Immunefi Vulnerability Severity Classification System is used for both bug bounty programs. A specification of this system [can be found here](https://immunefi.com/severity-updated/). -##### Impacts in Scope +##### 13.1.2.3: Impacts in Scope The scope of impacts accepted for this Bug Bounty Program is specified on the MakerDAO listing of the Immunefi platform, [which can be found here](https://immunefi.com/bounty/makerdao/). The impacts are categorized into 'smart contract' and 'websites and applications.' @@ -1506,40 +1506,40 @@ For SparkLend, the scope of impacts for the Bug Bounty Program is specified on t The scope Facilitator is mandated to choose a new severity system if it deems it to be better for the bug bounty program, based on consulting the relevant technical stakeholders. -##### Out of Scope & Rules +##### 13.1.2.4: Out of Scope and Rules A selection of vulnerabilities are deemed out of scope for the bug bounty program. An overview of these out of scope vulnerabilities can be found on the MakerDAO listing of the Immunefi platform, [which can be found here](https://immunefi.com/bounty/makerdao/). Feasibility limitations also apply, which can be found in the aforementioned listing on the Immunefu platform website. Certain rules apply to the bug bounty program. These can be found on the aforementioned MakerDAO listing of the Immunefi platform, listed under the following categories: -- repeatable attack limitations -- restrictions on security researcher eligibility -- public disclosure of known issues +- Repeatable attack limitations +- Restrictions on security researcher eligibility +- Public disclosure of known issues - Proof of Concept (PoC) requirements - Other terms and information -- prohibited activities +- Prohibited activities For SparkLend, the rules, terms and exceptions can be found on the Spark Lend listing of the Immunefi platform, [which can be found here](https://immunefi.com/bounty/sparklend/). -##### Rewards +#### 13.1.3: Rewards -###### Rewards per Threat Level +##### 13.1.3.1: Rewards per Threat Level -**Smart contract vulnerabilities** +###### 13.1.3.1.1: Smart contract vulnerabilities The Rewards per Threat Level, including related terms, conditions and exceptions are specified in the MakerDAO listing of the Immunefi platform, [which can be found here](https://immunefi.com/bounty/makerdao/). For SparkLend, Rewards per Threat Level, including related terms, conditions and exceptions are specified on the Spark Lend listing of the Immunefi platform, [which can be found here](https://immunefi.com/bounty/sparklend/). -**Websites and Applications vulnerabilities** +###### 13.1.3.1.2 :Websites and Applications Vulnerabilities The Rewards per Threat Level, including related terms, conditions and exceptions are specified in the MakerDAO listing of the Immunefi platform, [which can be found here](https://immunefi.com/bounty/makerdao/). -###### Reward Payment Terms +###### 13.1.3.1.3: Reward Payment Terms -**Reward Denomination** +###### 13.1.3.1.3.1: Reward Denomination Payments are denominated in USD. However, payouts are done in DAI assuming a full 1:1 ratio with the USD. However, if the price of DAI deviates from the USD value by more than 1%, the amount of DAI will be adjusted. -**Payout Process** +###### 13.1.3.1.3.2: Payout Process All bounty payouts are handled by MakerDAO governance. Upon confirmation, bug bounty payouts should be included in the next possible 'executive spell', which is a governance vote with an onchain payload attached to it. This would involve sending DAI directly from the protocol's buffer to the whitehat hacker. @@ -1547,7 +1547,7 @@ Immunefi will publicly contact one of the Governance Facilitators with the reque For bug bounty rewards over USD 1,000,000, after the first million is paid out, the remaining amount is paid out over time with up to USD 1,000,000 per consecutive month until the determined amount for payout is reached. -**Budget** +###### 13.1.3.1.3.3: Budget The bug bounty programs incur fixed and variable costs.