So you’re suggesting that we should have done an RFP and exposed a vulnerability to solve it? 
This should be seen more like a bug bounty than service providing. That said, it sets a positive precedent that responsible vulnerability disclosure and correction are rewarded, encouraging future security contributions.
A bug bounty just shows the vulnerability and how feasible it is. A critical bug of $250k USDC in the ENS Immunity program. This is not a code vulnerability, but it still is a vulnerability, and the actions taken were the result of research.
And if there was no research and responsible disclosure, there is a scenario where the subject we would be chatting about today could be “How to continue ENS with the protocol captured and no treasury”. It seems crazy, but that was really how dangerous the situation was. The report clearly shows this.
We reported and raised awareness to the right stakeholders, solved the issue, and gave more time to find an appropriate solution in the next 2 years. So it was more than just a common bug bounty reporting, and yet it’s closer to $250k than $1m per quarter of the market rate of OZ on Compound (and that was exploited exactly by that attack vector).
I can understand where you come from. It is worth reiterating that blockful provides services for ENS DAO inside this scope. Finding and solving an attack vector is another completely different thing. If the research done didn’t show any issue, then this proposal wouldn’t exist. It’s focusing on the outcome, not on the work.