[Pre-Proposal] Bug Bounty

* Title: Bug Bounty
* Name: bugBounty
* Term: 12
* Total Amnt: 1,000,000
* Author: Nohbdy45645
* Receiver: To Be Determined
* Address: not yet created
* Created: July 28 2020
* Status: Draft

I think a formalized process for rewarding community members for finding bugs would be a good idea that would encourage people to actively seek out and report bugs. I would propose that devs be excluded from being able to claim a bug bounty. Maybe include other DAO members in that exclusion. I think this should be something exclusively available to the average user/community member.

I would propose that the amounts of awards be decided by a majority vote of a committee depending on the severity of the bug (a bug found in an area that changes something essential should get more than a cosmetic bug). The amounts could range between maybe 5,000DVT to 100,000DVT.

I would suggest that the proposal require renewal in one year and if it is renewed remaining funds would be re-rolled into the bug fund with the possibility of a top-up to be discussed at that time. If it is not renewed any unused funds would go back to the project fund.

I think it might help to have a more formalized and funded process rather than donations from individuals.

I hope this gets a bit of discussion going.

I like it. But then we should also work out a framework to determine severity on a likert scale for example.

Yes. It’s a good idea to have this I think. However, I’d like to see someone outside of the dev team also manage this and ideally just ask for funds to be co-signed and spent as needed rather than stored by them separately. For Core & Mobile wallets team is spread too thin to take on other tasks and this stuff can become very time consuming as it requires lots of engagement that takes away from other tasks.

I think some scale like Lex suggested would be a good idea. Some objective criteria that would lead to a range that could then be analyzed by committee to determine the actual award amount. As an example after applying a scale to an issue the committee finds that the issue falls into an award range of 10k-25k and then by majority vote of the committee the award would be determined to be somewhere in that range of 10k-25k.

I would suggest that the committee be maybe 3-5 people from the community who are not associated with any development or DAO. People with some basic knowledge but who can remain focused on the community aspect of this rather than the technical aspect.

I’m probably explaining this poorly.

In my suggesting that the dev team be ineligible for collecting the reward, I was thinking that the dev team should be largely removed from the process. Limit the dev team to certifying that a bug exists once that information is passed on to the committee, they take the rest from there.

That being said I think the committee end of things needs to be relatively idiot proof. I would like to see that committee be made up of members of the community to increase community involvement/engagement and to also not add to the load that the devs are already under.

Just to bring some points that were made on discord over to the forum:

Bug is being loosely defined as something that makes something not work the way it’s supposed to work.

A basic jumping off suggestion for reward categories is as follows:

Server down 1k
Non server down issue making part of one of the devault websites function abnormally 10k-25k.
Non server down issue making an entire devault website go down 25k-50k.
Non server down issue with wallet that doesn’t effect send/receive/cold 25k-50k. Wallet issue that does effect send/secieve/cold 50k-75k.
Core issue 50k-100k.

I would appreciate some help from the community in either expanding on this idea or just saying it’s trash and telling me to drop it.