Hi @accessor.eth - Thank you for bringing this issue to our attention and for taking the time to conduct a security audit of the Builder Grants platform. We appreciate your diligence in identifying and reporting the exposure of personally identifiable information (PII).
Regarding the Bounty Request
To clarify the timeline and our position on this request:
- When we received your report on January 7th, we promptly escalated the issue to the BuidlGuidl team, who took swift action and resolved the exposure within 12 hours.
- On January 9th, we communicated that the Public Goods Working Group (PGWG) does not have an independent bounty program and suggested Immunefi as a potential avenue, though we were uncertain about eligibility which we communicated.
- We were unaware of your Immunefi rejection until February 3rd, when you posted this on the forum.
Regarding the bounty classification, we acknowledge that ‘builder.ensgrants.xyz’ is an extension of the ENS ecosystem, but it is not under ens.domains DNS nor part of the official ENS bug bounty scope. Immunefi, which operates with predefined criteria, seems to have determined that this issue was out of scope for a bounty.
That said, we do recognize your effort and contribution, and we acknowledge that your findings helped improve security. Given that PGWG does not have a structured bounty program, this required a steward-led discussion on whether a discretionary retroactive reward is a valid path in this case. We have concluded that an award of 2,500 USDC for this effort seems to be in line with the ENS Labs bug bounty classification which we consulted in making this decision.
Regarding forum permissions, we are unaware of the reason your permissions on the forum have been revoked. In the meantime, if you are unable to engage via the forum, feel free to reach out via other channels as you have done to report the bug, and we will ensure concerns are heard.
We appreciate your contributions to the ecosystem.