Upgrading the Bug Bounty program - potential AGP

agp

#1

I think it may be good to think more about the bug bounty program, and increasing the Critical Reward:

https://wiki.aragon.org/dev/bug_bounty/

First, it looks like the program is expired…

Second, I think we should look into maybe $100-150k levels for Critical? Or like putting 150k in a DAO and promoting prominently for people to hack it…?

Would love to hear thoughts!

I want to feel more secure using Aragon, and I hope higher tier programs like this can help speed up the process of billions secured with Aragon.

Not that… size matters, but I think once Aragon gets to that level, more and more people will trust it, like many of us do with the Gnosis multisig (unrelated to the dxDAO, but relevant), and be encouraged to form DAOs.

(EDIT: I removed the link for the dxDAO program, I thought it was 150k for a single bounty)


#2

And I just wanted to add…

I feel like until the Aragon Network treasury is fully moved to an Aragon DAO is only when the ecosystem may trust to fully use Aragon for their operations (especially for multi-million dollar treasuries). I know that some people may be brave charting forward with this now regardless though.

I know right now it’s still in beta, and there are disclaimers of sorts… but I’m just wondering if there are any timelines or how many more other audits until the skin in the game can really be there for everyone else to trust the tech too?

I know nobody wants Aragon to die because of losing all of the money in a hack, but at the same time, we need to also be aware that other people’s lives and businesses are at stake too.

So it begs the question: should Aragon even be on Mainnet until the Aragon Network’s funds are all moved to Aragon?

Is it ethical to be even be promoting, suggesting, or helping organizations be on-boarded as Mainnet DAOs without the Aragon treasury fully in Aragon?

I’m just playing the devil’s advocate here: I don’t know the right answer. Trying to spark discussion.


#3

I think adjusting bug bounty levels depending on the total value secured by the framework could be interesting. As more people start relying on the platform the bug bounty level increases (but also the likelihood of a critical bug should theoretically dimmish over time).

It seems prudent to be cautious and make incremental changes. Aragon the project should absolutely be blazing the trail here in terms of putting significant value in these contracts (and we are!). The total amount being secured is fairly low at the moment:

However, much of the allocations from the recent AGPs will be routed through Aragon organizations, including some organizations that will hold over a million dollars.

I think this would only be an issue if we were telling people that its completely safe and that they should be comfortable putting all their funds in Aragon even while we have not done so. What we are doing is saying that we take security seriously, we are very cautious, and we are and will continue to gradually increase the amount of reliance we put on the software and we advise everyone else to do the same.


#4

:raised_hands: Very good point – I like the way you frame it here.

I guess back to the original topic at hand, and not my pondering – I am curious if there are any bug bounty plans for the next few months? Is AGP the proper process to activate bug bounty programs?

I personally feel it would be good to really campaign people to hack a DAO. It’s one thing to say we have a DAO and there’s money in it… but I think it’s another to make posts on social media, or reach out to security experts to try to go after the money and just steal it if they can.

I also don’t know if there are more vulnerable vectors (e.g. when a Finance transfer vote is being executed vs. the money just sitting in a vault?). @maurelian