Bug Bounty/Security Disclosure Skill
Expert management of bug bounty programs and responsible security disclosure for blockchain protocols.
Capabilities
- •Program Setup: Configure bug bounty programs on Immunefi and other platforms
- •Scope Definition: Define assets, severity tiers, and exclusions
- •Vulnerability Triage: Assess and validate security reports
- •Responsible Disclosure: Coordinate disclosure timelines and communications
- •Bounty Management: Calculate and process bounty payments
- •Post-Disclosure: Conduct post-mortem analysis and lessons learned
MCP/Tool Integration
| Tool | Purpose | Reference |
|---|---|---|
| Trail of Bits Skills | Security analysis, property testing | building-secure-contracts |
| Slither MCP | Static analysis for validation | slither-mcp |
| Phalcon MCP | Transaction analysis | phalcon-mcp |
Bug Bounty Program Setup
Immunefi Program Structure
yaml
program:
name: "Protocol Name"
website: "https://protocol.xyz"
assets:
smart_contracts:
- type: "Smart Contract"
target: "0x..."
severity: "Critical"
websites:
- type: "Web Application"
target: "https://app.protocol.xyz"
severity: "High"
severity_levels:
critical:
range: "$100,000 - $1,000,000"
description: "Direct theft of funds, permanent freezing"
high:
range: "$10,000 - $100,000"
description: "Theft requiring user action, temporary freezing"
medium:
range: "$1,000 - $10,000"
description: "Griefing, DoS with medium impact"
low:
range: "$100 - $1,000"
description: "Minor issues, informational"
exclusions:
- "Issues in test files"
- "Third-party dependencies"
- "Issues requiring admin key compromise"
- "Front-running issues without significant impact"
Severity Classification
| Severity | Impact | Examples |
|---|---|---|
| Critical | Direct fund loss, protocol takeover | Reentrancy draining funds, access control bypass |
| High | Significant fund loss, protocol disruption | Oracle manipulation, flash loan attacks |
| Medium | Limited fund loss, degraded functionality | Griefing attacks, minor calculation errors |
| Low | No fund loss, minor issues | Gas inefficiency, informational findings |
Vulnerability Triage Workflow
1. Initial Assessment
markdown
## Triage Checklist - [ ] Report is within program scope - [ ] Vulnerability is reproducible - [ ] Impact assessment is accurate - [ ] No duplicate of existing report - [ ] Not a known issue or design decision ## Initial Classification | Field | Value | |-------|-------| | Report ID | BB-2024-XXX | | Submission Date | YYYY-MM-DD | | Reporter | @handle | | Asset Affected | Contract/URL | | Initial Severity | Critical/High/Medium/Low | | Status | Triaging |
2. Validation Process
bash
# Clone and setup test environment git clone <protocol-repo> cd protocol # Create PoC test forge test --match-test test_VulnerabilityPoC -vvvv # Run against mainnet fork forge test --fork-url $MAINNET_RPC --match-test test_VulnerabilityPoC
3. Severity Adjustment
Consider:
- •Likelihood: How likely is exploitation?
- •Impact: What is the maximum damage?
- •Complexity: What resources are needed?
- •User Interaction: Does it require victim action?
code
Final Severity = Base Impact - Mitigating Factors + Aggravating Factors
Responsible Disclosure Process
Timeline
code
Day 0: Report received Day 1-3: Initial triage and acknowledgment Day 3-7: Validation and severity confirmation Day 7-14: Fix development Day 14-21: Fix review and testing Day 21-30: Coordinated disclosure preparation Day 30+: Public disclosure (if agreed)
Communication Templates
Acknowledgment:
code
Subject: [BB-XXXX] Report Acknowledged Dear Security Researcher, Thank you for your submission to our bug bounty program. We have received your report and assigned it reference number BB-XXXX. Our security team is currently reviewing your submission. We will provide an initial assessment within 3 business days. Timeline: - Initial response: 24-72 hours - Severity assessment: 3-7 days - Fix timeline: TBD based on severity Best regards, Security Team
Severity Confirmation:
code
Subject: [BB-XXXX] Severity Assessment Complete Dear Security Researcher, After thorough review, we have assessed your vulnerability report: Severity: [CRITICAL/HIGH/MEDIUM/LOW] Bounty Range: $X - $Y Fix Timeline: X days [Details of assessment] Next Steps: 1. Fix development (ETA: X days) 2. Fix verification with your input 3. Coordinated disclosure discussion Best regards, Security Team
Bounty Calculation
Factors
javascript
const bountyCalculation = {
baseBounty: getSeverityBase(severity), // Based on tier
adjustments: {
qualityOfReport: 1.0 - 1.5, // Well-documented PoC
impactAccuracy: 0.8 - 1.2, // Accurate impact assessment
firstReporter: 1.0, // First to report
duplicatePartial: 0.0 - 0.5, // Partial duplicate
responsibleBehavior: 1.0 - 1.2 // No public disclosure
},
calculate() {
return this.baseBounty *
this.adjustments.qualityOfReport *
this.adjustments.impactAccuracy *
this.adjustments.responsibleBehavior;
}
};
Payment Process
- •Verify Identity: KYC requirements for large bounties
- •Payment Method: Crypto (USDC, ETH) or fiat
- •Tax Documentation: W-9 (US) or W-8BEN (non-US)
- •Confirmation: Receipt and acknowledgment
Post-Disclosure Analysis
Post-Mortem Template
markdown
# Security Incident Post-Mortem: [Title] ## Summary - **Date Discovered**: YYYY-MM-DD - **Date Fixed**: YYYY-MM-DD - **Severity**: Critical/High/Medium/Low - **Bounty Paid**: $X ## Root Cause [Detailed explanation of the vulnerability] ## Timeline | Time | Event | |------|-------| | T+0h | Report received | | T+2h | Triage complete | | T+24h | Fix developed | | T+48h | Fix deployed | | T+168h | Public disclosure | ## Technical Details [Code snippets, attack vectors, affected functions] ## Fix Implementation [How the issue was resolved] ## Lessons Learned 1. [Lesson 1] 2. [Lesson 2] 3. [Lesson 3] ## Process Improvements - [ ] Improvement 1 - [ ] Improvement 2
Process Integration
This skill integrates with:
- •
bug-bounty-program.js- Full program management process - •
incident-response-exploits.js- Exploit response coordination - •
smart-contract-security-audit.js- Pre-launch security review
Immunefi Best Practices
Program Configuration
- •Clear Scope: List all in-scope assets with addresses
- •Realistic Bounties: Competitive with market rates
- •Response SLA: Commit to specific timelines
- •Safe Harbor: Protect researchers acting in good faith
Common Issues
| Issue | Solution |
|---|---|
| Slow response | Set up triage rotation, clear escalation |
| Scope disputes | Pre-define edge cases in program terms |
| Severity disagreements | Use CVSS scoring, document rationale |
| Payment delays | Pre-fund bounty pool, streamline KYC |
Security Advisory Format
GitHub Security Advisory
markdown
## Summary [Brief description] ## Severity [CVSS Score] - [Critical/High/Medium/Low] ## Affected Versions - >= 1.0.0, < 1.2.3 ## Patches Fixed in version 1.2.3 ## Workarounds [If applicable] ## References - [Link to fix PR] - [Related documentation] ## Credits Thanks to @researcher for responsible disclosure
See Also
- •
agents/incident-response/AGENT.md- Incident response expert - •
smart-contract-security-audit.js- Security audit process - •
references.md- Security disclosure resources