Summary:
To activate Safe Harbor for the Compound Finance Bug Bounty Program on Immunefi, we are pleased to share the full details of the program to align the Compound DAO.
Safe Harbor:
Safe Harbor is a legal framework developed by the Security Alliance (SEAL) for protocols to empower whitehat security researchers to rescue protocol funds during an active blackhat attack — and redirect those funds back to a protocol-controlled Vault on Immunefi. In return, whitehats receive 10% of the funds saved, with a maximum of up to 60% of the project’s maximum critical reward.
Safe Harbor provides Compound Finance a secure solution for the whitehat recovery of funds during an active blackhat exploit. Immunefi’s implementation of the Security Alliance’s robust Safe Harbor framework, coupled with our extensive community of security researchers, provides a solution that integrates seamlessly with Compound’s bug bounty infrastructure. This ensures that our top-tier security researcher community has a credible and safe channel for returning funds when other security measures fail.
Cost:
If Safe Harbor is utilized during a blackhat attack, the payment to the security researcher is 10% of the funds saved, up to 60% of the project’s maximum critical reward. With Compound Finance’s $1M max critical payout, the rewards paid to a whitehat security researcher would be capped at $600,000.
For example, if a security researcher saves $1.5M, the reward would be $150,000. If the security researcher saves $8M, the reward would be capped at $600,000, which is 60% of the $1M bounty on the Compound Finance Bug Bounty Program.
There are no additional costs payable to Immunefi or to SEAL.
Terms & Conditions
Here is the unified Terms & Condition for the Safe Harbor Program. SEAL and Immunefi have agreed that the Terms & Conditions must be standardized across the industry. In the event that Safe Harbor is needed, security researchers who rescue the funds at risk need to be confident that the terms are exactly as described with no differences between programs. This is because security researchers won’t have the time to read any custom T&Cs and/or this could discourage a rescue.
Activation of Safe Harbor:
Once we have the full support of the Compound DAO for the activation of Safe Harbor, the current program administrators will be able to activate Safe Harbor through the Immunefi dashboard, which is where the program administrators are receiving bug reports from the security researcher community.
Once Safe Harbor is activated, we will include all assets that are currently in scope of the bug bounty program on Safe Harbor. A vault address will also be provided which is the address that security researchers will use to return Compound’s funds.
Thank you to the Compound DAO for the continuous support for Compound and Immunefi’s ongoing security collaboration.