JIP-5: Bug Bounty Program

JIP - Official
1

Category: Treasury

Abstract: This proposal, written in collaboration with the Jito Foundation, requests 1 million JTO funds from the Jito DAO to manage and payout potential bug rewards for a Bug Bounty Program administered by the security firm Asymmetric Research (“AR”). The Foundation would manage these funds, which are expected to cover at least 12-24 months of bounties. Any unspent funds at the conclusion of the program will be returned to the DAO. This program will cover both current and future Jito protocols.

Motivation: The program aims to enhance the security of the Jito Network by incentivizing the discovery of vulnerabilities through structured and strategic efforts. The security of the Jito Network is paramount to its success and user trust. Bug bounties have historically been an ideal way for DeFi to incentivize the security community to harden protocols and give an avenue for possible blackhats to receive rewards without executing exploits. Successful examples include:

  1. Wormhole Bug Bounty Program:
  • Overview: Wormhole announced a bug bounty program with a maximum payout of $10 million. This program aims to identify critical vulnerabilities in its bridge protocol to prevent future incidents.
  • Impact: This bounty program is one of the largest in the crypto space and has helped raise awareness of the importance of security in cross-chain protocols (Immunefi).
  1. Marinade Finance Bug Bounty Program:
  • Overview: Marinade Finance, a non-custodial liquid staking protocol on Solana, has a bug bounty program with rewards up to $250,000 for critical vulnerabilities. This program focuses on preventing the loss of user funds, governance funds, and unclaimed yield through various smart contract vulnerabilities.
  • Impact: The program has been crucial in securing Marinade’s smart contracts, ensuring the safety and integrity of staked assets (Immunefi) .
  1. Solana Foundation Bug Bounty Program:
  • Overview: The Solana Foundation runs an extensive bug bounty program through platforms like HackenProof, offering rewards ranging from $5,000 to $2,000,000 for critical vulnerabilities.
  • Impact: This program covers a wide range of potential security issues across smart contracts, web APIs, and other areas, helping to secure the Solana ecosystem by attracting a large pool of skilled security researchers (HackenProof) .

This initiative will improve the network’s security posture and demonstrate the DAO’s commitment to maintaining a secure environment for users. The bug bounty program will leverage AR’s expertise to attract top-tier security researchers and ensure thorough testing and reporting of potential security issues.

Key Terms:

  • Bug Bounty Program: A program that offers rewards for identifying and reporting bugs in software.
  • Asymmetric Research (“AR”): The security firm managing the Bug Bounty Program.

Specification: This proposal will send 1 million JTO to a 3-of-5 multisig controlled by three Jito Foundation members and two AR members to cover the potential payouts related to the Bug Bounty Program.

AR, a leading security firm with extensive experience conducting such programs, will manage the Bug Bounty Program. The program will follow preset rules and guidelines and cover various categories of vulnerabilities, with rewards based on the severity of the identified issues.

In brief, the Bug Bounty Program, launching on August 1, 2024, requires participants to complete KYC and adhere to strict eligibility criteria. Rewards for critical vulnerabilities can reach up to $250,000, with payouts in JTO on Solana, based on USD value. Known issues must be substantiated with verifiable evidence, and responsible disclosure guidelines are strictly enforced. Certain impacts, like attacks requiring leaked credentials or centralization risks, are out of scope, and prohibited activities include phishing and denial of service attacks.

If a bug deserves a payout under the Rules, the Jito Foundation will manage payment according to the terms laid out in the Rules.

A full breakdown of the program’s rules and terms will be provided to the community following the launch of the program.

Program Structure:

  1. KYC Requirements: Participants must complete KYC to receive payouts. Required information includes full name, date of birth, proof of address, and a copy of a government-issued ID.
  2. Eligibility Criteria: Restrictions on who can participate, ensuring fairness and security. Exclusions include individuals on OFAC’s SDN list, past or present official contributors, and security auditors who reviewed the project.
  3. Reward Calculation: The reward is calculated based on the severity of the vulnerabilities. Rewards for critical issues can go up to $250,000.
  4. Payouts: Rewards will be distributed in JTO on Solana, denominated in USD. The calculation is based on the 7-day TWAP of JTO at the time of settlement.

Benefits/Risks:

  • Benefits: Enhanced network security, increased user trust, proactive vulnerability management, and attracting top security talent to identify potential threats.
  • Risks: Potential overspending if numerous high-severity bugs are found; however, this risk is mitigated by capping rewards and having a structured payout system.

Outcomes:

  • Potential identification and mitigation of critical vulnerabilities.
  • Strengthened security posture of the Jito Network.
  • Increased confidence among users and stakeholders in the network’s security measures.
  • Documentation and analysis of vulnerabilities to improve future security measures and protocols.

Cost Summary: The total upper bound cost of the program is 1 million JTO, allocated for potential bug bounty payouts. The funds will be used for the actual bounty payouts to participants and administration costs. The DAO will be informed of any payouts as they occur, and any unspent funds will be returned to the DAO after 24 months.

Performance Milestone:

  • Yearly reviews: AR will regularly evaluate the program’s effectiveness and make necessary adjustments based on community feedback and empirical data. Metrics will include the number of vulnerabilities reported, severity levels, and the speed of resolution.
7 Likes
2

This proposal has my support.

With Jito’s increasingly growing importance, it is critical that security researchers are properly incentivized to bring forth any vulnerabilities found in any current or future protocols.

The proposal lays out clear guidelines for the bounty redemption process, and it is helpful that an upper-bound is established in both USD and JTO.

Going forward, it may make sense as part of a larger treasury diversification strategy to pay out bounties in USDC or another stablecoin, as the news of a material protocol vulnerability would likely impact JTO markets, thus having to pay out a higher amount in the protocol’s native currency.

The proposal is well written and clear with its intention, leaving no other open questions from my end. Thank you to Asymmetric Research for bringing this forward!

6 Likes
3

This was a well writen proposal that we support. A strong bug bounty program is crucial to the success of any project. We are not too familiar with Asymmetric-Research’s track record in regard to bug bounty programs so we wanted to know two things:

  1. Have you guys hosted a bug bounty program before, if so, for which project(s)? How did those go and are they still being maintained?

  2. Based on the examples you’ve given, what are some strategies they’ve implemented in their programs that you wish to implement here within Jito (if any), and how would you approach things differently in this ecosystem?

Additionally, we think the community should receive more transparency and choice regarding who sits on the multisig mentioned, but we do understand that we are in the earlier stages of this proposal, and these details can be hashed out later.

Looking forward to seeing this come to life.

5 Likes
4

Thank you, Chainflow, for responding to this proposal.

  1. The bug bounty program will be hosted on Immunefi, the leading platform for web3 bug bounties. AR has a long history of operating and contributing to bug bounty programs. We currently operate some of the most significant bug bounty programs in the Solana ecosystem (including Wormhole, Pyth, and Firedancer). These programs are all in excellent health and have paid out some of the largest payouts for researchers in history. Jonathan Claudius, our CEO, operated the Mozilla bug bounty program (one of the longest-running bug bounty programs) from 2015 to 2022.

  2. In addition to our experience in operating bug bounty programs for our clients, our team is also successfully participating in bug bounties as security researchers (#1 on Immunefi). This gives us a unique perspective on what makes a bug bounty program successful. We treat researchers with the same level of respect we would want to be treated when submitting a vulnerability to any other program and with empathy and respect for individuals spending their precious time helping make projects that we support safer. As Operators, our priority is to ensure the safe operation of the platform and its users. Second, we provide a researcher experience that feels more like a peer relationship in helping to understand the report and evaluate its impact. Lastly, we seek to build the confidence of both the project and its community through the program’s results.

3 Likes
5

This is a very reasonable proposal; however, we believe that there should be an extenuating circumstance added to this as well. Jito is a billion dollar protocol for the Solana ecosystem, and while it’s still in its early stages, we believe that extremely critical flaws would pose a greater threat to the entire ecosystem, and thus per the discretion of the oversight multisig, it may be within the scope to increase the reward from $250,000. While we are not sure ourselves what the optimal amount for a critical security risk would be, we would just like to be cautious about an individual finding a critical flaw and finding the payout from exploitation higher than the payout from moral upstanding.

That said, we would like to see a detailed breakdown of fund usage and how much will be allocated to different tiers of the bugs. Furthermore, if there could be specification on the decision process for choosing parties responsible for the multisig we would be appreciative. These would be good practices to set some precedence for the future of the DAO.

We would also like to echo the concerns outlined by others. It would likely be best to denominate the bounty rewards in USDC rather than JTO to prevent security being linked to market downturns.

4 Likes
6

100% support a bug bounty, but feel that it is important to draw attention to this detail from the proposal:

The funds will be used for the actual bounty payouts to participants and administration costs.

To support this proposal there needs to be some clear up-front boundary on what proportion of funds are to be used for “administration costs” and what these entail and how they are to be calculated (presumably this is to compensate Assymmetric Research for operating the programme).

I’m not against compensation to the programme operator, it aligns incentives and matters, however a proposal to access DAO funds must have guard rails on the usage of those funds where in 12 months time we find 70% of funds are eaten up by admin costs this is passed off as “well the proposal didn’t specify”. This is not just true for this proposal but something that matters in every proposal to access DAO funds.

Separately I agree with BlockworksResearch a higher bounty tier may be warranted in exceptional circumstances such as loss of funds.

2 Likes
7

Thank you, @BlockworksResearch and @laine, for your responses to this proposal; here are a few more points that we hope address any open questions. We also discussed this with the Jito Foundation today, and we’re open to the idea of a Twitter Spaces if there’s interest in further discussion around the proposal.

On the costs of bounty operation, there are two main buckets:

  • Platform Costs: Asymmetric and the Jito Foundation have a pre-existing agreement relating to auditing and security, and the administration costs for this bug bounty program are part of that. The platform costs mentioned in the proposal relate to the costs paid to the platform hosting the bug bounty program, where they would take a small percentage of any payout. The DAO will not be paying fees to Asymmetric Research in any way.

  • Program Management and Triage Costs: These would be used to define and manage the bounty terms and triage reports as they come in. The Jito DAO will not bear this cost; the Jito Foundation will cover these costs.

The proposal outlines a coordination required between the relevant stakeholders within this proposal, with the multi-sig selection process reflecting KYC’d members from both Jito Foundation and Asymmetric Research. The idea here is to facilitate the bounty payout and platform management with oversight between the two organizations. Asymmetric Research is happy to participate in the multi-sig if the Jito DAO approves; however, we don’t see that as a required element of this proposal.

The current ideation around bug tier severity is to have standardized tiers such as the following. Regarding the specific bug classes, we (Asymmetric Research and Jito Foundation) would work directly with the bug bounty platform team to ensure that the program has an impact table that ties specific impact scenarios to specific severity levels:

  • Critical: Up to $250,000
  • High: Up to $100K
  • Medium: Up to $25K
  • Low: Up to $10K

On payment denominations, the denomination of rewards would be fixed in USD but paid in Jito, based on a 7-day TWAP at settlement.

4 Likes
8

Assuming confirmation from the Jito Foundation that the service provider has been selected to oversee the Bug Bounty program, 1M JTO is a reasonable budget to fund two years of Bug Bounties for the Jito Protocol. A couple of thoughts:

  1. Term Length

Given the relatively small scope, the proposal might consider requesting funds on a rolling basis, with a percentage reserved for the first 6 months and topped off as needed. That said, the proposed 3-5 multisig setup does confirm the Foundation has sufficient oversight of the program.

  1. Potential Conflict of Interest

Asymmetric Research’s dual role as program operator and participant raises potential conflict of interest concerns. This could lead to bias in determining bug severity and payouts for their own submissions. While security remains the primary focus, this issue warrants consideration.

  1. Fee Transparency

Disclosure of all relevant fees would be a good best practice here for DAO transparency.

Overall, we support this initiative.

1 Like
9

Thanks for the feedback, can we have some clarity on what the platform costs entail and ideally the proposal should include an approved range for those costs in absolute or percentage terms of the total grant.

10

Thank you, @gauntlet.xyz and @laine, for considering this proposal. Additionally, thank you to the broader delegate community for your attention and questions during today’s delegate call #5.

The following is an attempt to address any remaining open questions:

  • Term Length: The proposal offers a fixed window of time to decide on term length as an initial step and instantiation of the capability. However, we recommend that the Jito DAO consider the ongoing operation of a bug bounty program as an essential element of the Jito security program.

  • Potential Conflict of Interest: Regarding the conflict of interest point, we operate some of the most extensive Web3 programs and are the #1 researchers on the Immunefi platform. In the context of this program, our team would be ineligible to participate or claim bounty rewards in the Jito Bug Bounty Program because we (1) are a client of Jito and (2) would be operating the program. As an additional layer, the program requires completing KYC, so the DAO will have a strong understanding of who is claiming rewards and help quell any concerns of foul play.

  • Fee Transparency: Regarding our incentives, we have an ongoing security relationship with Jito Foundation, which includes a range of services, including audit and other security operations. We would receive no compensation from the DAO to operate the program, which is included in our existing agreement with the Jito Foundation. The fees to the platform provider (Immunefi) would be a fixed 10% of the rewards paid by the DAO. For example, if no rewards are paid out, the cost to the DAO would be zero; if there is a $50K reward, the platform cost to the DAO would be $5K.