Melonport, a blockchain asset management protocol has put up a 250,000 Swiss franc bounty on bugs found on the Melon protocol. The bug bounty is a process designed to reward members of the public who help find and report security vulnerabilities in the Melon software.
The bounty, which has been converted into DAI, will also be paid out in DAI, covers every security breach or bug reported to the Melon Council by participants. Payment sizes will be determined by the degree of seriousness of bugs reported.
Bounty Program Specifics
In a blog post, Melonport Chief Technical Officer Jenna Zenk revealed that it will be employing the OWASP risk rating model to determine the value to be paid out to bug finders. OWASP grades risk based on impact and likelihood and this will be a determinant in the eventual reward size although the Melon Council has the final word.
The reward categories have been graded into three. Threats that fall under the “critical” category can win participants up to 10,000 DAI, threats under the “high” category will pay out up to 5000 DAI and those under the “low” category will pay out up to 500 DAI. Explaining what is looked at to classify a threat as “critical” Zenk said:
“[The threat] should include vulnerabilities resulting in the possibility of irreversibly locking up the assets, irreversibly destroying the fund or stealing the assets of the fund.”
Instructions for Participation
For reports to be considered for the bounty, participants are advised to send in a full written report to firstname.lastname@example.org. Reports should cover in detail, a description of the bug and how it attacks, what the bug attack effects and a possible solution or fix.
According to Zenk, to be eligible for the bounty payouts, threats being reported must be new ones, not ones that have previously been reported and must not be “an acknowledged part of the system.” Publicly disclosing the bug also disqualifies participants from the bounty rewards, which are also closed to anyone on the Melonport payroll.
This is not the first time Melonport will put up a bug bounty program to identify and get rid of bugs in its protocol. In February 2018, the Melon team put up 500 MLN tokens as a reward to anyone who could extract tokens from their newly launched Melon Fund. An additional 500 MLN tokens were then offered to persons who could find bugs or security vulnerabilities that were not extraction related.