Bug Bounty/Security Disclosure Skill

Expert management of bug bounty programs and responsible security disclosure for blockchain protocols.

Capabilities

• Program Setup: Configure bug bounty programs on Immunefi and other platforms
• Scope Definition: Define assets, severity tiers, and exclusions
• Vulnerability Triage: Assess and validate security reports
• Responsible Disclosure: Coordinate disclosure timelines and communications
• Bounty Management: Calculate and process bounty payments
• Post-Disclosure: Conduct post-mortem analysis and lessons learned

MCP/Tool Integration

Tool	Purpose	Reference
Trail of Bits Skills	Security analysis, property testing	building-secure-contracts
Slither MCP	Static analysis for validation	slither-mcp
Phalcon MCP	Transaction analysis	phalcon-mcp

Bug Bounty Program Setup

Immunefi Program Structure

program:
  name: "Protocol Name"
  website: "https://protocol.xyz"

  assets:
    smart_contracts:
      - type: "Smart Contract"
        target: "0x..."
        severity: "Critical"

    websites:
      - type: "Web Application"
        target: "https://app.protocol.xyz"
        severity: "High"

  severity_levels:
    critical:
      range: "$100,000 - $1,000,000"
      description: "Direct theft of funds, permanent freezing"
    high:
      range: "$10,000 - $100,000"
      description: "Theft requiring user action, temporary freezing"
    medium:
      range: "$1,000 - $10,000"
      description: "Griefing, DoS with medium impact"
    low:
      range: "$100 - $1,000"
      description: "Minor issues, informational"

  exclusions:
    - "Issues in test files"
    - "Third-party dependencies"
    - "Issues requiring admin key compromise"
    - "Front-running issues without significant impact"

Severity Classification

Severity	Impact	Examples
Critical	Direct fund loss, protocol takeover	Reentrancy draining funds, access control bypass
High	Significant fund loss, protocol disruption	Oracle manipulation, flash loan attacks
Medium	Limited fund loss, degraded functionality	Griefing attacks, minor calculation errors
Low	No fund loss, minor issues	Gas inefficiency, informational findings

Vulnerability Triage Workflow

1. Initial Assessment

## Triage Checklist

- [ ] Report is within program scope
- [ ] Vulnerability is reproducible
- [ ] Impact assessment is accurate
- [ ] No duplicate of existing report
- [ ] Not a known issue or design decision

## Initial Classification

| Field | Value |
|-------|-------|
| Report ID | BB-2024-XXX |
| Submission Date | YYYY-MM-DD |
| Reporter | @handle |
| Asset Affected | Contract/URL |
| Initial Severity | Critical/High/Medium/Low |
| Status | Triaging |

2. Validation Process

# Clone and setup test environment
git clone <protocol-repo>
cd protocol

# Create PoC test
forge test --match-test test_VulnerabilityPoC -vvvv

# Run against mainnet fork
forge test --fork-url $MAINNET_RPC --match-test test_VulnerabilityPoC

3. Severity Adjustment

Consider:

• Likelihood: How likely is exploitation?
• Impact: What is the maximum damage?
• Complexity: What resources are needed?
• User Interaction: Does it require victim action?

Final Severity = Base Impact - Mitigating Factors + Aggravating Factors

Responsible Disclosure Process

Timeline

Day 0:    Report received
Day 1-3:  Initial triage and acknowledgment
Day 3-7:  Validation and severity confirmation
Day 7-14: Fix development
Day 14-21: Fix review and testing
Day 21-30: Coordinated disclosure preparation
Day 30+:  Public disclosure (if agreed)

Communication Templates

Acknowledgment:

Subject: [BB-XXXX] Report Acknowledged

Dear Security Researcher,

Thank you for your submission to our bug bounty program. We have received
your report and assigned it reference number BB-XXXX.

Our security team is currently reviewing your submission. We will provide
an initial assessment within 3 business days.

Timeline:
- Initial response: 24-72 hours
- Severity assessment: 3-7 days
- Fix timeline: TBD based on severity

Best regards,
Security Team

Severity Confirmation:

Subject: [BB-XXXX] Severity Assessment Complete

Dear Security Researcher,

After thorough review, we have assessed your vulnerability report:

Severity: [CRITICAL/HIGH/MEDIUM/LOW]
Bounty Range: $X - $Y
Fix Timeline: X days

[Details of assessment]

Next Steps:
1. Fix development (ETA: X days)
2. Fix verification with your input
3. Coordinated disclosure discussion

Best regards,
Security Team

Bounty Calculation

Factors

const bountyCalculation = {
  baseBounty: getSeverityBase(severity), // Based on tier

  adjustments: {
    qualityOfReport: 1.0 - 1.5,    // Well-documented PoC
    impactAccuracy: 0.8 - 1.2,     // Accurate impact assessment
    firstReporter: 1.0,            // First to report
    duplicatePartial: 0.0 - 0.5,   // Partial duplicate
    responsibleBehavior: 1.0 - 1.2 // No public disclosure
  },

  calculate() {
    return this.baseBounty *
           this.adjustments.qualityOfReport *
           this.adjustments.impactAccuracy *
           this.adjustments.responsibleBehavior;
  }
};

Payment Process

1. Verify Identity: KYC requirements for large bounties
2. Payment Method: Crypto (USDC, ETH) or fiat
3. Tax Documentation: W-9 (US) or W-8BEN (non-US)
4. Confirmation: Receipt and acknowledgment

Post-Disclosure Analysis

Post-Mortem Template

# Security Incident Post-Mortem: [Title]

## Summary
- **Date Discovered**: YYYY-MM-DD
- **Date Fixed**: YYYY-MM-DD
- **Severity**: Critical/High/Medium/Low
- **Bounty Paid**: $X

## Root Cause
[Detailed explanation of the vulnerability]

## Timeline
| Time | Event |
|------|-------|
| T+0h | Report received |
| T+2h | Triage complete |
| T+24h | Fix developed |
| T+48h | Fix deployed |
| T+168h | Public disclosure |

## Technical Details
[Code snippets, attack vectors, affected functions]

## Fix Implementation
[How the issue was resolved]

## Lessons Learned
1. [Lesson 1]
2. [Lesson 2]
3. [Lesson 3]

## Process Improvements
- [ ] Improvement 1
- [ ] Improvement 2

Process Integration

This skill integrates with:

• bug-bounty-program.js - Full program management process
• incident-response-exploits.js - Exploit response coordination
• smart-contract-security-audit.js - Pre-launch security review

Immunefi Best Practices

Program Configuration

1. Clear Scope: List all in-scope assets with addresses
2. Realistic Bounties: Competitive with market rates
3. Response SLA: Commit to specific timelines
4. Safe Harbor: Protect researchers acting in good faith

Common Issues

Issue	Solution
Slow response	Set up triage rotation, clear escalation
Scope disputes	Pre-define edge cases in program terms
Severity disagreements	Use CVSS scoring, document rationale
Payment delays	Pre-fund bounty pool, streamline KYC

Security Advisory Format

GitHub Security Advisory

## Summary
[Brief description]

## Severity
[CVSS Score] - [Critical/High/Medium/Low]

## Affected Versions
- >= 1.0.0, < 1.2.3

## Patches
Fixed in version 1.2.3

## Workarounds
[If applicable]

## References
- [Link to fix PR]
- [Related documentation]

## Credits
Thanks to @researcher for responsible disclosure

See Also

• agents/incident-response/AGENT.md - Incident response expert
• smart-contract-security-audit.js - Security audit process
• references.md - Security disclosure resources