Upgrading the Bug Bounty program - potential AGP

I think it may be good to think more about the bug bounty program, and increasing the Critical Reward:


First, it looks like the program is expired…

Second, I think we should look into maybe $100-150k levels for Critical? Or like putting 150k in a DAO and promoting prominently for people to hack it…?

Would love to hear thoughts!

I want to feel more secure using Aragon, and I hope higher tier programs like this can help speed up the process of billions secured with Aragon.

Not that… size matters, but I think once Aragon gets to that level, more and more people will trust it, like many of us do with the Gnosis multisig (unrelated to the dxDAO, but relevant), and be encouraged to form DAOs.

(EDIT: I removed the link for the dxDAO program, I thought it was 150k for a single bounty)


And I just wanted to add…

I feel like until the Aragon Network treasury is fully moved to an Aragon DAO is only when the ecosystem may trust to fully use Aragon for their operations (especially for multi-million dollar treasuries). I know that some people may be brave charting forward with this now regardless though.

I know right now it’s still in beta, and there are disclaimers of sorts… but I’m just wondering if there are any timelines or how many more other audits until the skin in the game can really be there for everyone else to trust the tech too?

I know nobody wants Aragon to die because of losing all of the money in a hack, but at the same time, we need to also be aware that other people’s lives and businesses are at stake too.

So it begs the question: should Aragon even be on Mainnet until the Aragon Network’s funds are all moved to Aragon?

Is it ethical to be even be promoting, suggesting, or helping organizations be on-boarded as Mainnet DAOs without the Aragon treasury fully in Aragon?

I’m just playing the devil’s advocate here: I don’t know the right answer. Trying to spark discussion.


I think adjusting bug bounty levels depending on the total value secured by the framework could be interesting. As more people start relying on the platform the bug bounty level increases (but also the likelihood of a critical bug should theoretically dimmish over time).

It seems prudent to be cautious and make incremental changes. Aragon the project should absolutely be blazing the trail here in terms of putting significant value in these contracts (and we are!). The total amount being secured is fairly low at the moment:

However, much of the allocations from the recent AGPs will be routed through Aragon organizations, including some organizations that will hold over a million dollars.

I think this would only be an issue if we were telling people that its completely safe and that they should be comfortable putting all their funds in Aragon even while we have not done so. What we are doing is saying that we take security seriously, we are very cautious, and we are and will continue to gradually increase the amount of reliance we put on the software and we advise everyone else to do the same.


:raised_hands: Very good point – I like the way you frame it here.

I guess back to the original topic at hand, and not my pondering – I am curious if there are any bug bounty plans for the next few months? Is AGP the proper process to activate bug bounty programs?

I personally feel it would be good to really campaign people to hack a DAO. It’s one thing to say we have a DAO and there’s money in it… but I think it’s another to make posts on social media, or reach out to security experts to try to go after the money and just steal it if they can.

I also don’t know if there are more vulnerable vectors (e.g. when a Finance transfer vote is being executed vs. the money just sitting in a vault?). @maurelian


Yes, this is something we should fix. It is definitely still ongoing, and we are looking into if it may make sense to increase the payout values given our current experience.

Ideally these would be paid through the AA, from an Aragon org. Putting aside that much money in an organization alone will create a bounty honeypot.

This is something we’ve shied away from for now, as we haven’t quite set everything up for this yet. We had a few discussions of how to do this.

The difficult part in the honeypot, is that some potential vulnerabilities or bugs will only be exploitable or visible in very specific permission setups and we’re obviously not going to make an organization with all sorts of open doors for the honeypot (maybe a smaller one?).

1 Like

Bumping this as it’s incredibly relevant. Aragon is now shipping more apps with Autark and Aragon Black. These apps are amazing and could unlock tons of value, but only if people use them…

People are wary of DAOs just because of “the DAO” hack. If we want people to actually use Aragon we need to go above and beyond to prove that the Aragon platform and all major releases of Aragon apps are secure. This is easier said than done.

  • Security audits are not perfect. Even with an audit all you know is what was reported. They might have missed something.
  • Security audits are highly technical and the process is opaque to people who are not involved in the Ethereum security commuinty.
  • Security audits are expensive. Having strategic and financial help to navigate that negotiation is extremely important!

Aragon is trying to attract talent and users. Having the worlds easiest to build on and most secure platform is a HUGE selling point. If developers see that they will have help shipping professional and production ready applications they are more likely to choose to build on Aragon vs other platforms. If users see that all major Aragon apps are secure, they’re more likely to use them. To do this we need a multi layered approach to security. This can include audits for all major projects (Nest and Flock) as well as a comprehensive Bug Bounty program that covers all major apps. This is a small price to pay to establish credibility and trust in the Aragon platform and developer ecosystem.