# Incentive Model ### Changelog **Jan 9th, 2024** - test new distribution algorithm, changes include: 1. Base share change from 10% to **5%** 2. **No more** separate pool for informational issues 3. **New** weight of Critical: Medium: Low: Informational -> **64 : 16 : 4 : 1** *** ### How to Win More Rewards - Cheat Sheet To maximize your rewards, consider the following strategies: 1. Find **more critical** bugs 2. Find **Solo** bugs that **no other auditors find** 3. Write a **high-quality summary** of the findings * Clear root cause or reproduce logic or PoC * Actionable fix proposal 4. Submit **as many valid findings** as possible *** ### How do Secure3 Graders determine the reward? #### Bug Categorization & Reward Share Everyone who finds a valid bug will split **10%** of the total rewards. Bugs are categorized as follows: * **High**, **Medium**, and **Low**: earn **81%** of the reward pool * **Informational**: earn **9%** of the reward pool The rewards ratio of High, Medium, and Low findings is **4: 0.6: 0.4** #### Scoring System for Findings Auditors' findings are rated on a scale of 0-3: * **0**: Not a bug. * **1**: Bug found, but no clear explanation or actionable fix provided. * **2**: Average quality. * **3**: Bug verified, with clear explanations, reproduction steps and actionable fix proposals. Rewards for each bug are shared based on the score, ensuring that auditors who find the same bug split the reward according to their respective scores. ### Reward Distribution Logic The final reward you can get as an auditor will solely depend on three dimensions: * [**Your effort**](#id-1.-reward-efforts) * [**The severity of your findings**](#id-2.-reward-severity) * [**The quality of your findings**](#id-3.-reward-quality-of-findings) #### **1. Reward Efforts** If nobody can find a single bug in an audit contest, every participant equally splits 10% of the total pool to reward your efforts. We believe in the capabilities of our auditors and are confident that bugs will be discovered. Therefore, as long as you identify verified issues, you will be entitled to an equal share of the 10% base reward. > **Example**: If the total reward is $15,000 and there are 15 auditors who find verified bugs, each auditor will receive: Reward per auditor= $15000 \* 10% / 15 = $100 #### 2. Reward Severity We reward your findings based on severity and quality. The performance portion (90% of the total reward) will be divided into two pools: * **Critical/Medium/Low**: 81% * **Informational**: 9% > For the **definition of severity**, please refer to [Security Vulnerability Severity](https://docs.secure3.io/features/severity-standard). Feedback on the severity level definition is welcomed! As the total number of bugs found in each project varies, we define the ratio of earnings between **Critical: Medium: Low** bugs to be **4: 0.6: 0.4,** and **Informational** bugs are equally divided by the number of findings. Let's say there are in total of **x** critical bugs, **y** medium bugs, **z** low bugs, and **i** informational bugs found, the reward pool for each criticality is: * Criticalshare = TotalRewards \* 81% \* 4x / (4x + 0.6y + 0.4z) * Mediumshare = TotalRewards \* 81% \* 0.6y / (4x + 0.6y + 0.4z) * Lowshare = TotalRewards \* 81% \* 0.4z / (4x + 0.6y + 0.4z) * Infoshare = TotalRewards \* 9% Empirically, *x < y < z << i.* #### 3. Reward Quality of Findings We value auditors who provide findings that are: * **Unique**: No one else found the same issue. * **High quality**: Includes a clear explanation of the root cause (or reproduction logic) along with an actionable fix plan. Hence, to determine the reward for the quality of the finding, we have 2 layers of calculation: * Within the same findings * Within the same severity level **Within the Same Findings** To ensure trustworthy security audits and a competitive incentive model for auditors, we have established clear rubrics for evaluating the validity and quality of each bug. After submission, your findings will be reviewed and graded on a scale of **0-3**: * **0:** The finding is **NOT** a bug. * **1:** The bug is found, but there are **no clear or actionable suggestions** provided. * **2:** Average quality—the finding meets some but not all quality criteria. * **3:** The finding is valid, with clear explanations, reproduction steps, and actionable fix proposals. The severity of the bug will also be adjusted during the review. In cases where multiple auditors receive the same score, we guarantee that they will earn equal rewards. **Within the Same Severity Level** When the quality of suggestions does not merit a score of 3, we weigh individual findings based on the highest score received for that finding: * If there exist 3-point findings, reward weight *w* = *1.2.* * If the highest point of all reported bugs on this finding is 2, *w* = *1.* * If the highest point of all reported bugs on this finding is 1, *w* = *0.8*. In simpler terms, if your suggestions are the most concise and actionable, you have the potential to earn **up to 50% more** than those with less effective suggestions.