Running Decentralized, and Community Oriented Bug Bounties
Bug bounties are not a new thing, but web 3 has challenged security trends, expanding project’s needs, and creating a deep desire for decentralization and web 3 ideals. The DAO economy has created a world full of possibilities, giving birth to community owned bug bounties.
Community owned bug bounties live by web 3 ideals, giving full ownership to communities, and allowing them to create and vote on security proposals that will improve the protocols they are part of. Hats Finance gets rid of the middle man by creating decentralized vulnerability disclosure mechanisms, in which core teams are the first to find out of a bug, and can pay white hat hackers on chain.
As a DeFi protocol, we understand first hand the pain points of developers and builders in web 3, especially the dangers of exploits. Our goal is to make the life of builders easier, allowing them to focus on what they are best at, and giving them peace of mind. We believe that community owned bug bounties can be a pinpoint in the right direction by changing web 3 security paradigms, giving access to communities, and overall improving security as a whole.
Few examples on how Hats removes the middleman in bug bounty processes
Flexible and decentralized bounty sizes
When creating a yield farming vault, Hats facilitates incentive mechanisms that can bootstrap bounty sizes and attract users to share the code responsibility of their favorite projects. Deposits are open for anyone; including the team, treasuries and users. Bounty sizes can grow and shrink based on the project’s success and use of the native token. Project advocates can choose to grow the bounty vault before major releases to avoid costly exploits.
Direct communication between hacker and committee
Vulnerability descriptions and severity assignments are done by the project themselves with recommendation from Hats. When a new vault is created, an IPFS file is attached to it, encrypting the vulnerability description on the client side and the project committee PGP key that is part of the project description file mentioned above here. Hats creates a direct channel and enables visibility of the disclosed vulnerabilities only to the members of a particular committee.
On-chain vulnerability disclosure content proof and timestamping
A hash of the disclosed data is submitted on chain to enable a future decentralized dispute mechanism between the hacker/auditor and the committee. Another feature that is being created by this mechanism is a spam filter, allowing committees to only see the vulnerability description that their hash presents on chain. The submitter has to pay a transaction fee for submitting bugs to the committee and by doing so he is discouraged from spamming the committee. An additional fee can be set to the claim process to mitigate low tx fee that fails to prevent spam.
Client side PGP generation and storage tool
In order to further streamline the creation of PGP keys and their use(reading vulnerabilities) by committee members Hats has created a client-side PGP key vault. That way committee members can use their PGP keys to encrypt and decrypt messages in a way that is familiar to them when using metamask and other wallets.
Hats team is working tirelessly to further reduce the middleman and better align the incentives of hackers when disclosing vulnerabilities. A new version is already in the making.
The steps to open a bug bounty on Hats.finance:
- Generate PGP keys. Please follow this link: https://app.hats.finance/committee-tools and share with us the public key.
- Choose the committee members and share their Twitter or GitHub.
- Open a multisig (Mainnet) for the committee member and share the address.
- Share a link of the deployed contracts that you would like to be covered by the bug bounty.
- Test the vault on rinkeby and send us a proof of ownership — project contract deployer to sign a message using https://etherscan.io/verifiedSignatures#.
- Committee — check in (A function on Hats contract)
We built committee tools to support the creation and management of vaults; the client-side user interface will be first shared with the project’s core team. Later on this year, it will be publicly available to open a permissionless community-owned bug bounty for any protocol.
Contact us on Discord at Ofir | Hats.finance#8064 or Telegram @Hatsofir — and open a decentralized bug bounty within an hour.