Bug Bounty Platform - Cardano Community-Led Security

[GENERAL] Name and surname of main applicant

Peter Hucik

[GENERAL] Are you delivering this project as an individual or as an entity (whether formally incorporated or not)

Entity (Incorporated)

[GENERAL] Co proposers and Additional applicants

Vacuumlabs developers, Vacuumlabs auditors

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

4

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

No

[GENERAL] Summarize your solution to the problem (200-character limit including spaces)

A community-based bug bounty platform rewarding ADA for identifying smart contract vulnerabilities.

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

No

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.”

No dependencies.

[GENERAL] Will your project’s output/s be fully open source?

Yes

[GENERAL] Please provide here more information on the open source status of your project outputs

All the outputs, including the design document and the proofs of concept will be open-sourced on Github with a GPL-3.0 license.

[SOLUTION] Please describe your proposed solution.

Our solution is a community-driven Bug Bounty platform on the Cardano Blockchain. Recognizing the importance of security in blockchain projects, we aim to create an ecosystem where developers can submit their projects for auditing. Users will be incentivized through ADA rewards to find and report vulnerabilities. In this way we aim to strengthen project security and increase collaboration within the ecosystem.

We intend to engage both experienced auditors and enthusiastic community members, offering a unique blend of expertise and fresh perspectives. By ensuring robust security measures, we contribute significantly to the Cardano ecosystem's overall integrity and reliability. Our solution is unique because it combines community engagement with professional auditing, benefiting developers, auditors, and ultimately, the Cardano network.

The first version of our website will be a PoC and to fit within the budget we plan to deliver it without a smart contract functionality. In the next phases of the project, we aim to add a smart contract described below.

Smart Contract Functionality:

• Submission of Audit Requests:
• Developers can submit their code repositories to the platform along with a specified amount of ADA tokens to be held in escrow by the smart contract.
• The submission would include details such as the repository URL, contact information, scope of the audit, and the bounty amount.
• Bounty Allocation and Locking Funds:
• The smart contract locks the submitted ADA tokens as a bounty for the duration of the audit period.
• Conditions for bounty distribution are predefined, such as types of vulnerabilities or issues that qualify for a reward.
• Verification and Claim Process:
• Auditors or community members who find vulnerabilities submit proof, such as a detailed report or code patch.
• The smart contract will have a function to allow the admin team to review submissions and verify their validity.
• Reward Distribution:
• Upon admin approval, the smart contract automatically distributes the bounty to the finders of the vulnerabilities based on predetermined rules.
• The distribution could be a flat fee per bug or a percentage based on the severity of the issue.
• Dispute Resolution:
• In case of disputes regarding the validity of a bug or the reward amount, the smart contract can hold the funds until the dispute is resolved through a predefined governance process.

[IMPACT] Please define the positive impact your project will have on the wider Cardano community.

Our project will significantly enhance the security and reliability of the Cardano ecosystem. By incentivizing bug discovery and reporting, we encourage a proactive approach to identifying vulnerabilities. This not only improves individual projects but also elevates the overall trust in the Cardano network.

We plan to measure impact quantitatively by tracking the number of vulnerabilities reported and resolved, and qualitatively through community feedback. Success will be shared via regular updates and reports, detailing the vulnerabilities found and fixed. This transparency will promote a culture of security and trust, benefiting the entire Cardano community.

This proposal benefits wide array of groups within the community:

• Developers: will have a way to demonstrate their knowledge and increase their income streams. Also, seeing previous vulnerabilities increases knowledge sharing, helps the community to learn about smart contract anti-patterns that should be avoided.
• Users: more trust in protocols that participated in bug bounty.
• Projects: ability to further increase security and trustworthiness.
• ADA holders: each new utility is good for ADA

[CAPABILITY & FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

As seasoned developers and auditors of smart contracts on Cardano, we possess extensive experience with audits and design reviews conducted in Plutus, Plutarch, and Aiken languages. We have already identified various vulnerabilities, viewable at https://github.com/vacuumlabs/audits. Additionally, we are launching a series of blogs on common Cardano vulnerabilities, accessible at https://medium.com/@vacuumlabs_auditing.

Drawing from our expertise and experience, we are confident in our ability to create a website that will be well designed for both sides: the projects in need of audit and the community of auditors and security experts.

[Project Milestones] What are the key milestones you need to achieve in order to complete your project successfully?

Conceptualization and Design of the Proof of Concept (PoC) Platform.

Development and Backend Setup for the PoC Platform without Smart Contract Integration.

User Interface Development and Testing.

Launch of the PoC Platform and Initial User Engagement. Video overview of the entire platform.

Collection of Feedback and Preparation for Future Smart Contract Integration.

[RESOURCES] Who is in the project team and what are their roles?

Project management:

https://www.linkedin.com/in/peterhucik/

Auditing know-how and exploit severity decisions, smart contract design:

https://www.linkedin.com/in/sladecekmichal/

https://www.linkedin.com/in/michal-porubsky/

FE development:

https://www.linkedin.com/in/sebastian-jakabcin-6a28b1220/

BE development:

https://www.linkedin.com/in/igortot/

• Other available developers based on the needs of the project 

[BUDGET & COSTS] Please provide a cost breakdown of the proposed work and resources.

Development Costs: 45,000 ADA

User Interface Design and Enhanced Testing: 20,000 ADA.

Marketing and Community Engagement: 10,000 ADA.

Project Management and Reporting: 10,000 ADA.

Contingency and Miscellaneous: 5,000 ADA.

Total: 90,000 ADA.

[VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

The budget is meticulously crafted to offer maximum value for the Cardano ecosystem. Developer and auditor costs are based on market rates. Investment in community engagement and marketing ensures widespread adoption and contribution. Efficient project management and regular reporting demonstrate our commitment to transparency and accountability. Each ADA spent aims to fortify Cardano's security infrastructure, contributing to the network's long-term sustainability and trustworthiness.

By preventing high-severity bugs and ensuring the reliability of smart contracts, the platform will potentially save significant funds that would otherwise be lost to vulnerabilities and exploits, thereby offering high value for the money invested. This will also indirectly boost user confidence and investment in the Cardano ecosystem.

[IMPORTANT NOTE] The Applicant agrees to Fund Rules and also that data in the submission form and other data provided by the project team during the course of the project will be publicly available.

I Accept