Bug bounty
A bug bounty is a countermeasure developers can implement to drive white hat hackers to disclose exploits discreetly without actually triggering them. Generally speaking, bug bounties strictly apply to specified smart contract repositories.
Size
A significant number of chains and protocols use bug bounties. These can range from a few thousand dollars to up to ten million dollars (at time of writing). Different bug bounties are listed on websites such as immunefi.com. By their count alone, some $135,000,000 are available for hackers to claim.
Effectiveness
There are many cases of bug bounties successfully preventing exploits:
- Trail of Bits disclosed a vulnerability in AAVE nearly launched version[1]
- OpenZeppelin disclosed a multisig vulnerability in Convex[2].
Issues
Sometimes anonymous developers do not have a way to verify their anonymous counter party will not simply exploit the code when disclosing it. This is the case with OpenZeppelin's recent attempt to disclose a 10 figure vulnerability in Convex.
Providers
Immunefi lists and organises all bug bounties in a web2, centralised company way. Hats.finance provides a similar offering though it does this in a decentralised way.