Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add bug bounty section to readme #389

Merged
merged 4 commits into from
Nov 3, 2022
Merged

Add bug bounty section to readme #389

merged 4 commits into from
Nov 3, 2022

Conversation

jtraglia
Copy link
Collaborator

@jtraglia jtraglia commented Oct 28, 2022
edited
Loading

📝 Summary

During the roundtable at Bogota, someone mentioned that the bug bounty program wasn't on the README when it should have been. This PR moves that section from SECURITY to README. There should be more details about the bug bounty program in that security file though 🔒

Also, I think the details this bug bounty program are pretty vague. What does a "shared pool of $50k" mean exactly? I understand that's the total allocation for the program, but what are the actual expected bounties? If someone finds a critical vulnerability, will they get all of that $50k? A table of maximum bounties would be nice, like:

image

⛱ Motivation and Context

More exposure for the bug bounty 👍

✅ I have run these commands

  • make lint
  • make test-race
  • go mod tidy

@jtraglia
Copy link
Collaborator Author

jtraglia commented Oct 28, 2022
edited
Loading

For example, something like:

Severity Maximum Example
Low $200 USD A bug that causes mev-boost to skip a bid.
Medium $1,000 USD From a builder message, can cause mev-boost to go offline.
High $5,000 USD From a builder message, can cause a connected validator to go offline.
Critical $25,000 USD From a builder message, can remotely access arbitrary files on host.

These maximums are EF bounty program's maximums divided by 10. Examples are just the first thing that came to mind for each severity; you may want to come up with better ones.

With a $50k pool, that would support:

  • 250 - lows
  • 50 - mediums
  • 10 - highs
  • 2 - criticals

This seems pretty reasonable IMO. Should last a while.

come-maiz
come-maiz previously approved these changes Nov 2, 2022
View reviewed changes
Copy link
Contributor

@come-maiz come-maiz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jtraglia.

@avalonche can you please add the levels to our bounty information? I like Justin's numbers as a way to get started, we can adjust them as we go. What about making a post in the forum with the bug bounty details and link to it in these repositories?

@jtraglia jtraglia dismissed stale reviews from come-maiz and ghost via d89f5de November 3, 2022 15:12
@metachris metachris merged commit 4405820 into flashbots:main Nov 3, 2022
@jtraglia jtraglia deleted the add-bug-bounty-to-readme branch November 3, 2022 18:57
screwyprof pushed a commit to screwyprof/mev-boost that referenced this pull request Feb 3, 2023
@jtraglia @screwyprof
Add bug bounty section to readme (flashbots#389)
74594e6 
* Add bug bounty section to readme

* Add table to security doc

* Simplify blurb on readme
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@avalonche avalonche avalonche approved these changes

@metachris metachris metachris approved these changes

@come-maiz come-maiz come-maiz left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jtraglia @metachris @come-maiz @avalonche