Having the DAO take over the ENS bug bounty

True Names currently operates a bug bounty program, with rewards of up to $250k for bugs found in ENS infrastructure - particularly smart contracts.

With the formation of the DAO, I think it would make sense for the DAO to formally take over ownership of the bounty program. Small bounties can be paid out of an “ENS ecosystem” workstream budget, while larger bounties can be voted on directly.



Love this idea. How would you define bugs within small vs. larger bounty categories?


I think it will depend a little on how big the workstream’s budget is, which is something I expect we’ll know better as it’s spun up. At a first approximation maybe the workstream budget would cover low ($20k max) and below?


I think this is a sensible idea.

Some contextual questions:

  • What is True Names’ current budget for bounties?
  • How is True Names funded, or is it funded by the DAO treasury?

IMO this is something perfect for the DAO to vote on and approve as an early proposal. I can’t really see downsides for it as long as the threshold for voting on larger bounties is set properly. The positives is that I’m sure there are a lot of people waiting to see what this DAO votes for, and passing a low-impact proposal would probably reduce tension if there is any.


We don’t have a fixed budget for it; more an expectation we might have to pay it out at some point!

Formerly by EF grants, and more recently by the funds from the short name auction. We have enough runway for a while, but will have to ask the DAO for funding at some point, particularly if we continue to hire so we can develop ENS at a rate that is in line with everyone’s expectations.


I really like this proposal.

1 Like

Once I started reading about budgets for the ENS Ecosystem workgroup, this was my first thought as well.

It seems like the Ecosystem working group would likely (hopefully) have the most clearly defined goals, engineering wise. So beyond just worrying about new proposals, giving incentive to contributors to fix bugs as well seems like a no brainer.