Bug Bounty Program Renewal III

Abstract

This document serves as a proposal to extend the Bug Bounty program for an additional six months. Our aim is to foster and sustain community engagement, acknowledging their contributions to the project’s success. By offering incentives for identifying bugs, the DAO collectively assumes responsibility for the ongoing development. This proposal is intended to renew the existing initiative, which is due to end in February 2024.

Motivation

  • Our goal is to continuously motivate the community to identify and report bugs, focusing on in-game functionality and issues related to official websites.

Details

The Bug Bounty Program is designed to engage the community’s assistance in enhancing our live products and features. This includes addressing in-game usability concerns, as well as issues related to second-party games and official websites, such as the RBW staking website and the rewards claim site. The program may also extend to issues arising from partnerships, provided they pertain to Crypto Unicorns products.

Participants will be rewarded for reporting new issues, with the compensation reflecting the severity of the reported issue. Each issue will be evaluated by the core developer responsible for the affected game loop, based on the severity tiers outlined below.

**Please be aware that while the severity tier reference helps categorize potential bugs/issues, the primary developer reserves the final say in determining the validity and severity of a submission.

  • Eligibility for rewards (original reporter):

    • Must be the first to report a relevant issue via Zendesk.
    • Must be a member of the Discord community.
    • Must not be under a current ban (temporary or permanent) or under monitoring following a ban warning.
    • Must adhere to the Bug Bounty Ticket Format.
  • Exclusions from the program:

    • Issues already disclosed in the #known-issues channel of the official Discord server.
    • Internal work-in-progress issues not publicly announced due to the potential of opening possible attack vectors
    • Issues pertaining to smart-contracts covered by the Security Bug Bounty Program.
    • Issues related to non-deployed items, items in test phases (alpha, beta, etc.), and back-end items that do not affect live feature/system usability.
    • Isolated cases caused by client-side factors outside our service’s scope (e.g., unstable network, inadequate tech/hardware).
    • Intended game balancing adjustments.
  • How are reports verified?

    • The reporter takes on the burden of proving a potential bug’s validity by submitting a ticket on Zendesk with all the necessary information.
  • How will the reward be disbursed?

    • Rewards, denominated in USD, may be paid in either RBW or USDC on a monthly basis.

Validity

This program will be valid for six months, from February 2024 to July 2024, commencing as the current cycle concludes.

Conclusion

We are confident that this program effectively aligns incentives with community engagement and leave the decision to approve this proposal to the DAO.

——

Change log:

  • Introduced Tier 6
    • Tier 6 aims to acknowledge a broader spectrum of valid reports, reducing instances of outright invalidation for lesser impact reports. This reflects our recognition of the community’s efforts in identifying and reporting minor yet significant issues.
  • Adjusted rewards
    • We’ve enhanced the attractiveness of high-severity report rewards, increasing their value.

These two changes were made with intention to amplify rewards for high-value tiers in the development process, while ensuring fair compensation for lower tiers.

1 Like

I support this. We should incentivize the community for finding and reporting bugs.

1 Like

I don’t support this proposal. Too many times we’ve heard members complaining about their bug bounty report being invalidated. The dollar amounts are too low and the program is not taken seriously in my experience. Zen desk is usually incompetent and frustrating to deal with anything other than the most basic of issues.

Quest cycling(sending lands to a new account to reset the quests) is a perfect example of this. It quite literally violates the Tier 2 description of “issues with impact directly rooted to the blockchain and blockchain assets, impacting their value and/or utility”. Being able to do infinite quests is very much impacting the intended utility of land(blockchain asset). Players who reported this were told its not a bug, and then in turn created significantly more than 1250 USDC in value.

Bug bounty program needs to have a competent party assigned to handle it and not zen desk, as well as properly incentivize reporting over “exploiting” the bug until you get a warning months later. I’d like to see someone who at least has a clue about CU economy take the reigns on this so they can properly handle reports.

4 Likes

I give my support to the proposal. I think its very important that this exists. It gives a would be a hacker the ability to do something good rather then bad. My only hope is that LG really take the submissions more seriously in the future. If someone finds a exploit it should be called a exploit and not a feature. Pay outs should be paid for features if they are viewed as exploitive by the community.

Such program should exist, but my personal experience with it was sub-par. After being encouraged by LG to formally report a bug which was informally confirmed after a public disclosure on discord, the submission was denied because it was only applicable to the subset of players that owned large quantities of the assets in question (so a class warfare-ish based denial, official reply was that the bug was ‘irreplicable within multiple environments’ even though it can be easily replicated still). Such responses discourage the community to put effort into identifying and reporting bugs, so recommend a revision of the bug submission acceptance criteria.

1 Like

As for me, tier1-2 rewards are still low, usually such high tier bugs are even not worth reporting and person who will be able to find that would usually exploit it to the core when we all see the consequences, as it was when in-game marketplace was hacked OR game bank balance was hacked. Even though we need such a program, it seems for me as something to distract attention, like look, we have something for whitehats, but after community members report stuff, reports were rarely taken into account so people just loose motivation to report anything. I also agree with Dipbeak that another party (just like councils) would be great to determine and distribute rewards. Zendesk is a horrible experience.

The scope of the Bug Bounty Program are just usability issues found within the game. For real exploits, those actually fall in the purview of the Security Bug Bounty and must be reported via the bug bounty email and not on ZenDesk.

The bug report is determined by the developer for the loop. For example, if a bug is found on the Unicorn Party games, the report is forwarded to the Surf Team and they will determine the actual impact of the bug on their systems as they’re the ones that know how to properly assess it.

I support the renewal of bug bounty program but I also agree with dipbeak’s concerns regarding the incompetency of zendesk team to handle the bug reports properly which ultimately discourage participation from community.

My personal experience has not been good with this program. Zendesk feels very subjective and at times incompetent. I’ve found it to be a frustrating experience to deal with them.

Additionally once bugs are approved, I’ve had issues re: payouts. Example: An approval from May 2023 is still unpaid, even after following up and reporting it as unpaid. It’s a low payout so it’s not worth any additional efforts at this point.

At this point, if I find a bug, l submit it to help the community, but I have no expectations of payout. It’s a hassle to deal with the entire process. And it’s not worth my continued time and efforts re: try to collect the bug bounty.

So in theory, I support the idea of the program. But payout values are low and the Zendesk experience is frustrating. It’s easy to become discouraged re: participating in the program.

Mixed feelings about this one, Zen Desk experience is horrible and everytime you talk to them, you clearly understand that they have 0 clue of what is going in the game, how it works and how impacting the things reported are.
When you report something, it feels like talking to a wall.

A lot of people were complaining about the super long delay of getting paid, of getting their report approved and so on.

It needs to be somehow changed in my opinion, people working on Zen Desk need to be aware of how the game is working and rewards need to be higher.

The idea of having bug bounty is good, like what nanessa mentioned above that the real exploits falls under the security bug bounty but the real problem here lies on who validates the reports. The in game exploits that the community reported for the potential abuse that was invalidated because of “game design reason”. Regardless if it’s a theory or not, team should not wait for the exploit being abuse before they validate the report.

This happened multiple times and of course based on personal experience.
Example of this is the land cycling (reported way back January 4, 2023)

They actually said that the said exploit is not a bug. I only manage to get 250USD worth of reward for bringing the issue on their attention and did nothing afterwards

This costed LG more than 1xx,xxxUSD because of continuous abused of the forced refreshing of quests.

Why is this relevant? players’ bad experience to bug bounty program leads us not to report and just abuse what can be abuse.

As a council member, I say bug bounty is a good proposal for the community to help the game designer report for potential bugs and exploits. If it could be tweaked with more transparency I think this will work, either way it’s better to have something like this rather than none.

But again, the real problem is the validation like what @Dipbeak said, if we can have a different party other than ZD to validate then that might work.

1 Like

I am in favor of having a bug bounty, but I’m not a fan of this proposal. It’s clear that there are some issues with the way this program currently works as highlighted by other members above.

This proposal seems like a minimal effort attempt to keep a broken system going. I’d personally rather see an attempt to work out how this system might be better implemented to achieve it’s desired outcomes. That said, this proposal has enough information for the DAO to make an informed vote.

I’m in favor of the bug bounty but on the disappointments I expressed to how they push back people since I feel they dont want to spend in bug bounty is colossal.

bugs that are confirmed regardless of should have a proper tiering. it is frustrating to always have to go to zd and then after 14-21 days they will just drop your claim when initially on boarded to it. because of “excuses”. its stupendous.

while I try to report these bugs regularly. it discourages me to report them further because on how ZD is handling these things.

Your Tier system will just make LG tier everything to that 25 dollars. I think the lowest tier should be 100 usd. I dont want to spend my time dealing with their support only to turn it down.

T 6 5 4 should be at if we are making the “same tier”
T6 100
T5 250
T4 500

I would not spend my time if its only 25 dollars [because THEY WILL PUT THAT ON THAT TIER SURELY] . i can put my effort somewhere else. waiting 14-21 days on a report only to disclaim in later is just a waste of my time.

1 Like

Agree with the renewal of Bug Bounty, but remove T6

The council review session for this proposal has ended with the following results:

Yes: 3
No: 7
No Vote: 1

With this, the proposal will be closed and existing Bug Bounty program will expire on February 7, 2024. Thank you for your participation in the discussion.