[VIP-32] UI/UX QA Bug Bounty Program

Create Snapshot vote to approve this program
  • Yes
  • No
0 voters

Summary

VaultCraftDAO should create a QA Bug Bounty program focused on the functionality and usability of the dApp.

Value Proposition

VaultCraft already uses an Immunefi Bug Bounty Program to protect the security of protocol-related smart contracts. However, the UI/UX of app.vaultcraft.io is critical to ensure users have a clear, safe way to interact with said smart contracts. To help secure and improve the user experience, a similarly recurring bug bounty program should be introduced.

This serves five main purposes:

  • Assure quality of UI/UX for all users
  • Provide community members an opportunity to earn oVCX and VCX
  • Recognize engaged community members with a special role / badge on Discord
  • Decentralize the responsibility of securing the protocol
  • Engages new users to possibly ‘learn and earn’ while they test the dApp

Additionally, the bug bounty being paid out in oVCX would allow the bounty hunter to recognize a meaningful financial reward while providing revenue for the protocol.

Budget

The tokenomics outlines 100M VCX to Partner Incentives. This category includes the VaultCraft Partner Program (VPP), VaultCraft Referral Program (VRP), and University Governance Program (UGP).

Upper caps are not defined individually for the VPP and VRP, which drive TVL growth. On the other hand, UGP, which promotes the decentralization of governance, is budgeted 500K VCX.

Therefore, this program which similarly promotes decentralization should be budgeted 500K VCX for bug bounty rewards.

Implementation

  • Create a new public channel on the Discord for QA testers
    • Used to communicate program updates, submission validation, payment schedule
  • Invite anyone to join
  • Review bug bounty submissions through Github
    • VaultCraft is open source so the repo is already public and open for anyone to submit ‘Issues’
  • Pay out valid submissions in oVCX using the ‘Partner Program’ allocation of DAO treasury VCX to fund the redemption contract
  • Add the following page to the docs:

VaultCraft UI/UX QA Bug Bounty Program

Introduction:

Welcome to our UI/UX QA Bug Bounty Program! We believe in the power of community-driven development and are excited to invite skilled individuals to help us enhance the user experience and ensure the security of our decentralized application (dApp). This program encourages participants to explore the application thoroughly, identifying and reporting any UI/UX issues that may affect the overall usability and functionality.

Scope:

The bug bounty program covers the entire functionality of the dApp. Participants are encouraged to scrutinize every aspect of the user interface (UI) and user experience (UX) without executing any transactions to avoid incurring gas fees. The focus is on identifying issues that impact the core functionality of the dApp, including but not limited to depositing or withdrawing from Smart Vaults, locking Balancer LP tokens for veVCX, voting with veVCX, claiming and executing oVCX, incorrect or missing data values, connecting a wallet, page navigation, responsiveness, visual design, branding consistency, grammar and text copy, hyperlink accuracy, and overall user satisfaction.

Note that scope of this program is focused on UI/UX of the dApp. For our smart contract testing, please visit our Immunefi Bug Bounty.

Levels of Severity:

We have categorized the severity of identified issues into three levels to determine the reward payouts. Each level corresponds to the impact on the core functionality and the potential risk associated with the identified bug.

  • Critical (High Severity):
    • Description: Issues that significantly impair the core functionality of the dApp, leading to a severe degradation of the user experience.
    • Examples:
      • Non-responsive UI failing to prompt a transaction signature
      • Critical components not loading
      • Severe visual glitches affecting important elements.
      • Any bugs hindering the completion of essential tasks.
    • Reward: 10000 oVCX
  • Major (Medium Severity):
    • Description: Issues that have a noticeable impact on the user experience and may hinder the completion of specific tasks.
    • Examples:
      • Inconsistencies in UI design or branding.
      • Navigation issues affecting user flow.
      • Data, values, or charts failing to load in a reasonable amount of time.
      • Non-critical functional bugs affecting specific features.
    • Reward: 5000 oVCX
  • Minor (Low Severity):
    • Description: Minor issues that do not significantly impact core functionality but may affect the overall polish and professionalism of the dApp.
    • Examples:
      • Spelling or grammatical errors.
      • Incorrect logos or naming of third-parties.
      • Cosmetic UI issues with non-essential elements.
      • Suggestions for usability improvements.
    • Reward: 1000 oVCX

How to Participate:

  1. Join the #bug-bounty-hunter channel in Discord to be awarded the role of “Vaultcraft Community Q&A team” along with a different colored name tag.
  2. Explore app.vaultcraft.io and thoroughly test its UI/UX.
  3. Identify, document, and submit any issues, including a clear description and steps to reproduce through Issues · Popcorn-Limited/app · GitHub. Also include your Discord username to associate your submission with your contact information.

  1. The team will follow up with you directly with any questions and to confirm the validity of your submission. oVCX rewards will be distributed within 30 days of the closure of your bug submission ticket.
  2. Repeat! You are encouraged to submit as many valid bugs as you can find. Remember to try different devices, browsers, input values (decimals, commas, etc), keyboard combos, and configurations.

Rules and Guidelines:

  • Participants must refrain from executing transactions to avoid gas fees.
  • Participants are eligible for rewards for each unique, valid submission.
  • Submissions must include clear and concise documentation of the identified issues.
  • Duplicate submissions will not be eligible for rewards.
  • Only submissions that have not been previously reported will be considered for rewards.
  • Participants are expected to adhere to ethical guidelines and avoid exploiting any vulnerabilities.
  • Reviewers reserve the right to define the validity of bug submissions.

Reward Payouts:

Rewards will be paid out in oVCX, with the amount determined by the severity level of the identified issues. Payouts will be made within 30 days of the closing of a valid bug submission.

8 Likes

For the reward part, whats the $ face value of each reward? Since VCX fluctuates and that effects oVCX value

At current prices of ~$0.017 (Dex Screener)
High = 10000 (oVCX) * $0.017 (VCX price) * 25% (oVCX profit margin) = $42.5
Medium = 5000 (oVCX) * $0.017 (VCX price) * 25% (oVCX profit margin) = $21.25
High = 1000 (oVCX) * $0.017 (VCX price) * 25% (oVCX profit margin) = $4.25

I meant, like a permanent face value, so the reward is consistent. Have to account for price movement of VCX

ex:
High = $75 worth of oVCX, instead of quantity

1 Like

Sure, can round these numbers up to:
H = $50
M = $25
L = $5

Bounty can be paid correlating to the average VCX price of the monthly period (25th-25th) in which it was submitted

I.e., submission on January 17th will be paid x amount of oVXC corresponding to $50 value based on the average price between December 25th - January 25th, even if it is not resolved until February

Here’s an example of how this can be calculated. The data is pulled directly from Coingecko: https://www.coingecko.com/en/coins/vaultcraft/historical_data#panel

I made two example tabs, one for VCX (with limited data) and another with our friends from Timeless’ LIT token price history