Update JBP-42 - JBX Bug Bountys

Title: Update JBP-42 - JBX Bug Bounty
Author: Nicholas
Date: 2022-06-02

How to fill out this template

Thesis

Revise JBP-42 to point previously allocated funds (50 ETH) toward a v2-focused Immune.fi bounty.

Abstract

https://snapshot.org/#/jbdao.eth/proposal/0xd75c8a544a050b1541b95a1350c314e32d8e5a43b126967699db3799c3b1a375

Motivation

The original proposal is outdated and should be clarified with recent protocol development. With the launch of V2, I propose that we execute on the original proposal of developing a bug bounty of 50 ETH through Immune.fi, however updated to focus exclusively on V2 protocol (contracts). The program creates an opportunity for devs who discover bugs in the protocol to report them for a reward proportional to bug severity. Without such a program, devs who find bugs can only be sure to profit by executing exploits.

Risks

Capital - Juicebox has passed through 2 traditional audits. If there are no bugs, then there is no need for a bug bounty.
Insufficient size - If a dev finds a bug in V2, they may be motivated to sit on it until a large project raises a massive amount of funds on V2 in the future, when they can exploit it, rather than collecting a portion of the meagre 50 ETH bounty proposed here. Hopefully we can expand the program in future governance proposals to mitigate this risk.
A bug is exploited in the frontend, and this proposal does not cover frontend bugs
Implementation details such as which address to send ETH to are left to @nicholas and @Mr. Goldstein. The proposal could fail or underperform because of this lack of specificity in this proposal.

Specification

Finalize Immune.fi bug bounty sponsorship with 50ETH (<1% of the treasury).

Detailed next steps (from ImmuneFi docs):

Fill out Immunefi questionnaire (currently waiting to receive)
Immunefi begins drafting up a bug bounty program based on answers to those questions
After modifications are done, the process is handed over to Immunefi’s launch specialist
The launch specialist works with JBDAO to figure out the launch time and bounty PR/marketing details