Bug Bounty Program
- Initiated the Bug Bounty program privately for selected researchers (Private testnet on June 3rd).
- Bug Bounty Program to continue indefinitely.
The bug bounty program currently contains two separate scopes, which share the same rules with a few exceptions as noted below:
- Smart contracts for Multi-Collateral Dai.
- Infrastructure for select public facing domains (please see the "Ineligible Bugs" section in the Policy section on HackerOne, especially regarding third party software, before submitting a report).
Note: The program may be expanded in the future to include more asset types such as frontends and apps.
Since the launch of the program, three high-severity bugs and one critical-severity bug have been discovered, resulting in bounty reward payments totalling $90,000. The vulnerabilities consisted of unwanted interactions between the Dai Savings Rate (DSR) module and the Maker Protocol in one case, and the emergency shutdown module and the auctions in another case. The discoveries were in line with our expectations, as these modules either required additional scrutiny or were the most recent ones to be integrated with the system. Given that the security of the system remains our highest priority, we will continue the bug bounty program indefinitely.