Bug Bounty

[avalonche]

Bug Bounty

There is an initial audit and a possible second audit by an independent auditing team (see #224). However there should be a bug bounty program to improve and ensure the security of mev-boost and PBS. Some considerations are:

What platforms should the bug bounty be on?

Some candidates include:

• Immunefi (although this platform is more smart contract oriented)
• HackerOne
• Code4rena

How much should the bug bounty be?

• Immunefi has bounties from a few thousand upwards to $10M
• While mev-boost is an important piece of infrastructure, the potential impact and loss of funds is not as great and / or immediate as in some smart contracts. This should be considered in determining the bounty size
• We can quantify validator rewards and make a reward proportional to the likelihood and impact of the issue

How should it be financed?

• It seems reasonable that flashbots will bootstrap the initial bug bounty
• What amount of funding would be needed initially and reserved?
• However, it would be ideal and encouraged that participants in the space (node operators, builders, searchers, EF, etc.) contribute to the security budget and potentially support research, client teams and decentralization efforts to improve the ecosystem by contributing to something like gitcoin grants

[come-maiz]

Two alternatives brought by Ethereum Foundation security are:

• Joining the Ethereum bug bounty program
• Running our own bug bounty using https://disclose.io/

We should register in disclose.io, anyway.
Joining the ethereum foundation sounds amazing. This makes sense if the scope is the entire proposer/builder separation design and prototypes. However, it's not very clear if this makes sense to the ethereum foundation, and it's not clear how we participate here. Like, how do collect Flashbot's funds and the funds from other interested organizations.