Security bounty program

Since we released the giveconomy reports are coming in regularly where security researchers inform us on vulnerabilities they have found.

Why have a bounty program?

Security researchers should be able to easily find the info they need to responsibly disclose a vulnerability to the security team. Next they should have a secure way to disclose directly to the security team (PGP encrypted email). Finally they should be able to expect a potential reward valued at the severity of the discovered vulnerability.

How do we go about this?

1 - Decide on bounty value for different scenarios
2 - Create email and pgp key (done)
3 - Write up the info
3 - Put up the info on https://giveth.io/support as well as the giveth docs

We should definitely use the bounty payouts from the nrGIV DAO treasury - this will make it a bit less public and allow the core team to quickly pass bounty funding proposals

The SecOps team decided to award @aparecekarl the 400DAI equivalent in GIV tokens. We had no GIV in the nrGIV DAO, so I funded it from my private account for this fist payout - maybe we can allocate some funds specifically for this.

Thank you to contributor brodhisattva for compiling a draft for the bounty program, please visit notion to access: