- A reward given by a projects team or developers to anyone who finds bugs in their systems. Projects who do not have a bug bounty program are likely to have more risk.
- From Consensys Diligence (2-3-2020):
"For talented hackers, there are strong financial incentives to attack DeFi protocols. Having a bounty program in place creates a financial incentive to report vulnerabilities rather than exploit them. Reporting a vulnerability through a bounty program is also good for a hacker’s reputation, and the added benefit of not being illegal.
Any company running a DeFi protocol, with people’s money on the line, should have a bounty program. Here are some good questions you can ask about their program and disclosure process:
- Is the source code of your contracts publicly available?
- Is it easy to find the security contact information on your website and git repos?
- Do you have a bounty program on your contracts?
- Which contracts are in scope?
- What is the range of bounty payments?
- Have you ever made a bounty payment?
- Have you ever denied payment on a bug report?
- Is it easy to find details of the bounty program on your website and git repos?
Ideally this information would all be found at “website.com/security” and make use of GitHub’s SECURITY.md feature."