Bug Bounty Platfrom: move from concept to MVP

[GENERAL] Name and surname of main applicant

[GENERAL] Are you delivering this project as an individual or as an entity (whether formally incorporated or not)

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language

[GENERAL] Summarize your solution to the problem (200-character limit including spaces)

Our build of a concept is nearing completion and we want to fund the second phase of the Bug Bounty platform development. The plan is to include smart contracts to minimize required trust.

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.”

No dependencies.

[GENERAL] Will your project’s output/s be fully open source?

[GENERAL] Please provide here more information on the open source status of your project outputs

All the outputs, including the design document and the proofs of concept will be open-sourced on Github with a GPL-3.0 license.

[SOLUTION] Please describe your proposed solution

Our solution is a community-driven Bug Bounty platform on the Cardano Blockchain. Recognizing the importance of security in blockchain projects, we aim to create an ecosystem where founders can submit their projects for auditing. Users called Bounty Hunters will be incentivized through ADA rewards to find and report vulnerabilities. In this way we aim to strengthen project security and increase collaboration within the ecosystem.

We intend to engage both experienced auditors and enthusiastic community members, offering a unique blend of expertise and fresh perspectives. The platform aims to improve Cardano ecosystem's overall integrity and reliability. Our solution is unique because it combines community engagement with professional auditing, benefiting developers, auditors, and ultimately, the Cardano network.

The PoC version of our website, funded in previous round, is nearly complete. Now in the MVP phase we want to make it more decentralized and trustless by adding a smart contract funtionality that ensures no funds will ever get lost or locked, and that every decision is transparently stored onchain. We will also add multiple new UX features that we added to our backlog during the discovery phase.

Smart Contract Functionality:

• Submission of Audit Requests:
• Developers can submit their code repositories to the platform along with a specified amount of ADA tokens to be held in escrow by the smart contract.
• The submission would include details such as the repository URL, contact information, scope of the audit, and the bounty amount.
• Bounty Allocation and Locking Funds:
• The smart contract locks the submitted ADA tokens as a bounty for the duration of the audit period.
• Conditions for bounty distribution are predefined, such as types of vulnerabilities or issues that qualify for a reward.
• Verification and Claim Process:
• Auditors or community members who find vulnerabilities submit proof, such as a detailed report or code patch.
• The smart contract will have a function to allow the admin team to review submissions and verify their validity and severity
• Reward Distribution:
• Upon multisig approval, the smart contract automatically distributes the bounty to the finders of the vulnerabilities based on predetermined rules.
• The distribution could be a flat fee per bug or a percentage based on the severity of the issue.
• Dispute Resolution:
• In case of disputes regarding the validity of a bug or the reward amount, the smart contract can hold the funds until the dispute is resolved through a predefined governance process.

[IMPACT] Please define the positive impact your project will have on the wider Cardano community

Our project will significantly enhance the security and reliability of the Cardano ecosystem. By incentivizing bug discovery and reporting, we encourage a proactive approach to identifying vulnerabilities. This not only improves individual projects but also elevates the overall trust in the Cardano network.

We plan to measure impact quantitatively by tracking the number of vulnerabilities reported and resolved, and qualitatively through community feedback. Success will be shared via regular updates and reports, detailing the vulnerabilities found and fixed. This transparency will promote a culture of security and trust, benefiting the entire Cardano community.

This proposal benefits wide array of groups within the community:

• Developers: will have a way to demonstrate their knowledge and increase their income streams. Also, seeing previous vulnerabilities increases knowledge sharing, helps the community to learn about smart contract anti-patterns that should be avoided.
• Users: more trust in protocols that participated in bug bounty.
• Projects: ability to further increase security and trustworthiness.
• ADA holders: each new utility is good for ADA

[CAPABILITY & FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

As seasoned developers and auditors of smart contracts on Cardano, we possess extensive experience with audits and design reviews conducted in Plutus, Plutarch, and Aiken languages. We have already identified various vulnerabilities, viewable at https://github.com/vacuumlabs/audits. Additionally, we are launching a series of blogs on common Cardano vulnerabilities, accessible at https://medium.com/@vacuumlabs_auditing.

Drawing from our expertise and experience, we are confident in our ability to create a website that will be well designed for both sides: the projects in need of audit and the community of auditors and security experts. The PoC version of the website has been funded in the previous round and the build is underway - first milestones already reached and approved. Now we want to bring our Smart Contract architects and developers into the process.

[PROJECT MILESTONES] What are the key milestones you need to achieve in order to complete your project successfully?

Begin designing the smart contracts' architecture utilizing our Auditing department's expertise. Output should be a design document describing the smart contract's parameters, inputs and outputs.

Parallel to Milestone 1, we want to start designing additional UX features to make the UX flows for both project founders and bounty hunters easier. Output of the milestone is a Figma document with prepared UX designs.

By the third milestone, we will deliver the Smart Contract code for review by our auditing department. The output will be code of the contract shared from Github.

In parallel with SC code we will be implementing the proposed design and UX improvements to the website, with Milestone 4 we want then to be testable on staging deployment of the website.

The final milestone is deploying the working MVP of the website. It will utilize the audited version of the Smart Contract, as well as UX and UI improvements. We will prepare a blog post and link it to the website that will describe the parameters of the contract and how it translates into more trustless operation of the Bug Bounty platform.

[RESOURCES] Who is in the project team and what are their roles?

The same team that developed the concept phase with the addition of Smart Contract engineers.

Project management:

https://www.linkedin.com/in/peterhucik/

Auditing know-how and exploit severity decisions, smart contract design:

https://www.linkedin.com/in/sladecekmichal/

https://www.linkedin.com/in/michal-porubsky/

Full stack development:

https://www.linkedin.com/in/matej-falat/

FE development:

https://www.linkedin.com/in/sebastian-jakabcin-6a28b1220/

Design:

https://www.linkedin.com/in/denisabrichtova/

Product:

https://www.linkedin.com/in/carolinasoares84/

[BUDGET & COSTS] Please provide a cost breakdown of the proposed work and resources

Development Costs:

• Smart Contract Architecture Design: 20,000 ADA
• Smart Contract development: 50,000 ADA
• Smart Contract audit: 70,000 ADA
• New FE UX development: 80,000 ADA

Other cost:

• User Interface Design and Enhanced Testing: 20,000 ADA.
• Marketing and Community Engagement: 10,000 ADA.
• Project Management and Reporting: 20,000 ADA.
• Contingency and Miscellaneous: 5,000 ADA.

Total: 275,000 ADA.

[VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

The budget is crafted to offer maximum value for the Cardano ecosystem. Developer and auditor costs are based on market rates. Investment in community engagement and marketing ensures widespread adoption and contribution. Efficient project management and regular reporting demonstrate our commitment to transparency and accountability. Each ADA spent aims to fortify Cardano's security. We aim to deliver a website that holds up to highest standards in both UX perspective and trustless and decentralized operation.

By preventing high-severity bugs and ensuring the reliability of smart contracts, the platform will potentially save significant funds that would otherwise be lost to vulnerabilities and exploits, thereby offering high value for the money invested. This will also indirectly boost user confidence and investment in the Cardano ecosystem.