Incentive Model

Changelog

Jan 9th, 2024 - test new distribution algorithm, changes include:

1. Base share change from 10% to 5%

2. No more separate pool for informational issues

3. New weight of Critical: Medium: Low: Informational -> 64 : 16 : 4 : 1

How to Win More Rewards - Cheat Sheet

To maximize your rewards, consider the following strategies:

1. Find more critical bugs

2. Find Solo bugs that no other auditors find

3. Write a high-quality summary of the findings

   • Clear root cause or reproduce logic or PoC

   • Actionable fix proposal

4. Submit as many valid findings as possible

How do Secure3 Graders determine the reward?

Bug Categorization & Reward Share

Everyone who finds a valid bug will split 10% of the total rewards. Bugs are categorized as follows:

• High, Medium, and Low: earn 81% of the reward pool

• Informational: earn 9% of the reward pool

The rewards ratio of High, Medium, and Low findings is 4: 0.6: 0.4

Scoring System for Findings

Auditors' findings are rated on a scale of 0-3:

• 0: Not a bug.

• 1: Bug found, but no clear explanation or actionable fix provided.

• 2: Average quality.

• 3: Bug verified, with clear explanations, reproduction steps and actionable fix proposals.

Rewards for each bug are shared based on the score, ensuring that auditors who find the same bug split the reward according to their respective scores.

Reward Distribution Logic

The final reward you can get as an auditor will solely depend on three dimensions:

• Your effort

• The severity of your findings

• The quality of your findings

1. Reward Efforts

If nobody can find a single bug in an audit contest, every participant equally splits 10% of the total pool to reward your efforts.

We believe in the capabilities of our auditors and are confident that bugs will be discovered. Therefore, as long as you identify verified issues, you will be entitled to an equal share of the 10% base reward.

Example: If the total reward is $15,000 and there are 15 auditors who find verified bugs, each auditor will receive: Reward per auditor= $15000 * 10% / 15 = $100

2. Reward Severity

We reward your findings based on severity and quality. The performance portion (90% of the total reward) will be divided into two pools:

• Critical/Medium/Low: 81%

• Informational: 9%

For the definition of severity, please refer to Security Vulnerability Severity. Feedback on the severity level definition is welcomed!

As the total number of bugs found in each project varies, we define the ratio of earnings between Critical: Medium: Low bugs to be 4: 0.6: 0.4, and Informational bugs are equally divided by the number of findings.

Let's say there are in total of x critical bugs, y medium bugs, z low bugs, and i informational bugs found, the reward pool for each criticality is:

• Criticalshare = TotalRewards * 81% * 4x / (4x + 0.6y + 0.4z)

• Mediumshare = TotalRewards * 81% * 0.6y / (4x + 0.6y + 0.4z)

• Lowshare = TotalRewards * 81% * 0.4z / (4x + 0.6y + 0.4z)

• Infoshare = TotalRewards * 9%

Empirically, x < y < z << i.

3. Reward Quality of Findings

We value auditors who provide findings that are:

• Unique: No one else found the same issue.

• High quality: Includes a clear explanation of the root cause (or reproduction logic) along with an actionable fix plan.

Hence, to determine the reward for the quality of the finding, we have 2 layers of calculation:

• Within the same findings

• Within the same severity level

Within the Same Findings

To ensure trustworthy security audits and a competitive incentive model for auditors, we have established clear rubrics for evaluating the validity and quality of each bug. After submission, your findings will be reviewed and graded on a scale of 0-3:

• 0: The finding is NOT a bug.

• 1: The bug is found, but there are no clear or actionable suggestions provided.

• 2: Average quality—the finding meets some but not all quality criteria.

• 3: The finding is valid, with clear explanations, reproduction steps, and actionable fix proposals.

The severity of the bug will also be adjusted during the review. In cases where multiple auditors receive the same score, we guarantee that they will earn equal rewards.

Within the Same Severity Level

When the quality of suggestions does not merit a score of 3, we weigh individual findings based on the highest score received for that finding:

• If there exist 3-point findings, reward weight w = 1.2.

• If the highest point of all reported bugs on this finding is 2, w = 1.

• If the highest point of all reported bugs on this finding is 1, w = 0.8.

In simpler terms, if your suggestions are the most concise and actionable, you have the potential to earn up to 50% more than those with less effective suggestions.