Thanks for the questions!
As of right now, there is $100k coverage, but no $100k to take from (in the form of BPRO)? That is, until DAO votes through a fund…? I see you mention a cap, but the 50k BPRO seems missing from the page, where $100k USD is the working figure.
From our understanding, the payouts are being sourced from the dev funds for now.
With regards to the 50k BPro, it’s stated above the reward table
" Payouts are handled by the BProtocol team directly and are denominated in USD. Payouts are done in USDC or DAI for payouts up to USD 10 000 and BPRO/stablecoin mix (90%/10%) for all other critical payouts, capped by up to 50 000 BPRO."
What is the process of disclosure? I skimmed the “How it works”, but I’m left wondering about some things. From my understanding disclosure is done indirectly to B.Protocol. That is, the report is to Immunefi, and then they do a “check”, before potentially escalating to B.Protocol. Is this correct?
The bug report is first disclosed to us, and we apply light filtering to see if the report is legitimate. Sometimes we get some people submitting junk reports, and we don’t want our clients wasting their time on them, so we just discard them and deal with the reporters ourselves. If it looks like something legitimate, we escalate them right away to B.Protocol.
So yes, you got it right
Who has control of the funds dedicated to the security bug bounty?
The B.Protocol team. There are no deposits required to Immunefi.
How are the payouts made? I’m guessing either the project or Immunefi categorizes the threat level, and then the funds are transferred from the fund owner to the white hats chosen address?
The bug reporter categorizes the threat level, and then during the light filtering portion, we refer to the Immunefi Vulnerability Severity Classification System, which is mentioned in the B.Protocol bug bounty program as well, to reclassify as needed. If the B.Protocol team finds that the impact actually could’ve been lower or higher, it’s recategorized.
The payment to the bug bounty hunter is then done by the B.Protocol team directly. In the future once this moves to a DAO, the DAO could pay the bug bounty hunter directly.