This playbook defines how Aethelred should operate the protocol bug bounty as a repeatable security function rather than an ad hoc inbox.
| Function | Owner |
|---|---|
| Intake and first response | Ramesh Tamilselvan <rameshtamilselvan@gmail.com> |
| Severity assignment | Ramesh Tamilselvan <rameshtamilselvan@gmail.com> |
| Engineering fix owner | Relevant protocol owner |
| Release decision | Ramesh Tamilselvan <rameshtamilselvan@gmail.com> |
| Reward approval | Ramesh Tamilselvan <rameshtamilselvan@gmail.com> |
| Disclosure signoff | Ramesh Tamilselvan <rameshtamilselvan@gmail.com> |
For every report:
- assign a tracking ID
- confirm scope eligibility
- confirm support status of affected branch, release, or image
- verify reproducibility
- classify severity
- assign engineering owner
- determine whether immediate mitigation is needed
Accepted findings should capture:
- affected branch, tag, or image
- impacted code paths
- exploit steps
- blast radius
- containment decision
- fix PR or commit
- regression proof
- reward decision
- disclosure date
Use the matrix in BUG_BOUNTY_SEVERITY_MATRIX.md and bias toward the higher tier when:
- the issue crosses trust boundaries
- the exploit is reliable
- the exploit affects consensus, custody, or validator control
Bias toward the lower tier when:
- exploitability depends on unrealistic assumptions
- impact is operationally recoverable and tightly bounded
- reproduce on a controlled branch
- create minimal containment if immediate risk exists
- patch the root cause
- add regression coverage
- validate on supported branches
- prepare release notes and disclosure decision
- confirm the issue is valid and non-duplicate
- assign final severity
- apply reward modifiers
- approve payout in USD value with
USDCas the default payment rail - record payment method and date
No issue should be publicly disclosed before:
- mitigation or fix is deployed
- operator or validator coordination is complete where needed
- legal/compliance review is complete for sensitive cases
Track at minimum:
- acknowledgement time
- triage time
- time to containment
- time to fix
- reward turnaround time
- duplicate rate
- severity distribution
Before calling the program operational:
SECURITY.mdpublished- response mailbox monitored
- severity matrix approved
- reward bands approved
- fix owners identified
- disclosure signoff path documented
- interim named owners assigned