DAO
I performed an audit on Builders Grants on January 6-7.
While reviewing the code I noticed that personal information such as telegram handles, personal google drive links and email addresses for grant recipients along with the grant reviewer feedback was exposed. I notified a steward from Public Goods Working Group about the issue. They noted the exposure of PII and passed the information to BuidlGuild team who developed the site.
The data exposure was then corrected and removed from the site. I asked if their would be a bounty or reward for it but since it was on the Builder ENS Grants page, it being qualified for a bounty was unknown. I then submitted it to Immunefi where it was ultimately rejected.
I understand that 'builder.ensgrants.xyz is not âENSâ proper. But the site plays a crucial role as an extension thereof. I believe this should still be applicable for reward as the Bug Bounty clearly states that disclosure of user information is considered âHighâ.
I am curious to know why this was not accepted as it is classified. Why would this not be an issue just because it doesnât fall under ens.domains DNS, I believe that the applicability should still be extended as 'builder.ensgrants.xyz is an official part of ENS but not ENS proper,
Personal Data Exposure Shouldnât get by into the public view and especially if that data is not yours, ours, mine etc.
I am officially asking to be retroactively rewarded for a bounty to be collectively decided from stewards. The reward payment scale overlaps each other so I am unsure on how to calculate what would be a fair reward.
On another noteâŠ
Unfortunately, I am unable to message anyone through the discussion forum as all of my permissions and ability to message any persons has been taken away without any notification or discussion or consensus or real reasonâthat I am aware of at least. So I have to ask this publicly. Despite my continuing effort to contribute and take part in discussion over the past ~4 years, I donât believe I have broken any rules and feel that I have been targeted because of a disagreement of my opinions and findings of discrepancy.