From 4d7b2d86299d3e69ca5e1adb193ae6f0e4f72230 Mon Sep 17 00:00:00 2001
From: anonimal <anonimal@i2pmail.org>
Date: Wed, 29 Nov 2017 23:32:08 +0000
Subject: [PATCH] VRP: add section Bounty Distribution

---
 VULNERABILITY_RESPONSE_PROCESS.md | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/VULNERABILITY_RESPONSE_PROCESS.md b/VULNERABILITY_RESPONSE_PROCESS.md
index bc97990..2eb8568 100644
--- a/VULNERABILITY_RESPONSE_PROCESS.md
+++ b/VULNERABILITY_RESPONSE_PROCESS.md
@@ -101,6 +101,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D  D29B 66A7 6ECF 9144 09F1
 
 2. If the Incident Response process in section III is successfully completed:
     - a. Response Manager contacts researcher and asks if researcher wishes for credit
+      - i. If bounty is applicable, release bounty to the researcher as defined in secion "Bounty Distribution"
     - b. Finalize vulnerability announcement draft and include the following:
       - i. Project name and URL
       - ii. Versions known to be affected
@@ -125,7 +126,17 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D  D29B 66A7 6ECF 9144 09F1
     - c. If disputes arise about whether or when to disclose information about a vulnerability, the Response Team will publicly discuss the issue via IRC and attempt to reach consensus
     - d. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public
 
-## V. Incident Analysis
+## V. Bounty Distribution
+
+- Total availability of XMR bounty can be tracked [here](https://forum.getmonero.org/8/funding-required/87597/monero-bounty-for-hackerone). XMR market values can be found at the various exchanges. See also [Cryptowatch](https://cryptowat.ch/) and [Live Coin Watch](https://www.livecoinwatch.com/).
+- As reports come in and payouts are made, the total bounty supply shrinks. This gives incentive for bug hunters to report bugs a.s.a.p.
+- The following percentages apply to available XMR bounty (severity is defined above in section III. 6.):
+  1. 10% reserved for LOW severity bugs
+  2. 30% reserved for MEDIUM severity bugs
+  3. 60% for HIGH severity bugs
+- Each bug will at most receive 10% of each category. Example: 10% of 60% for a HIGH severity bug.
+
+## VI. Incident Analysis
 
 1. Isolate codebase
     - a. Response Team and developers should coordinate to work on the following:
@@ -141,7 +152,7 @@ PGP key fingerprint = 1218 6272 CD48 E253 9E2D  D29B 66A7 6ECF 9144 09F1
 
 3. Response Team has 45 days following completion of section III to ensure completion of section V
 
-## VI. Resolutions
+## VII. Resolutions
 
 Any further questions or resolutions regarding the incident(s) between the researcher and response + development team after public disclosure can be addressed via the following:
 
@@ -159,7 +170,7 @@ Any further questions or resolutions regarding the incident(s) between the resea
 - [Reddit /r/Kovri](https://reddit.com/r/Kovri/)
 - Email
 
-## VII. Continuous Improvement
+## VIII. Continuous Improvement
 
 1. Response Team and developers should hold annual meetings to review the previous year's incidents