Incentive Model

Changelog

Jan 9th, 2024 - test new distribution algorithm, changes include:

  1. Base share change from 10% to 5%

  2. No more separate pool for informational issues

  3. New weight of Critical: Medium: Low: Informational -> 64 : 16 : 4 : 1

How to Win More Rewards - Cheat Sheet

  1. Find more critical bugs

  2. Find Solo bugs that no other auditors find

  3. Write a high-quality summary of the findings

    1. Clear root cause or reproduce logic or PoC

    2. Actionable fix proposal

  4. Submit as many valid findings as possible

How do Secure3 Graders determine the reward?

  • Everyone who finds a valid bug will split 10% of the total rewards

    • If no one finds any bug, all participants will split 10% of the total rewards

  • Bugs will have 4 categories:

    • High, Medium, and Low: earn 81% of the reward pool

    • Informational: earn 9% of the reward pool

  • The rewards ratio of High, Medium, and Low findings is 4: 0.6: 0.4

  • We will rate the auditor’s findings into 0 - 3 scores:

    • 0: the finding is not a bug

    • 1: the finding is a bug, but the auditor does not provide a clear explanation and actionable fix proposal

    • 3: the finding is a bug, with a clear explanation, of how to reproduce it, and an actionable fix proposal

    • 2: everything else

  • Auditors who find the same bug will split the reward for that bug based on the score

Reward distribution logic: Details

The final reward you can get as an auditor will solely depend on three dimensions:

  • Your effort

  • The severity of your findings

  • The quality of your findings

Reward Efforts

  • If nobody can find a single bug in an audit, every participant equally splits 10% of the total pool to reward your efforts.

  • We are confident that given the qualities of our auditors, there will be bugs found. Thus, as long as you find something verified by our reviewers, you are able to get an equal share of the 10% Base.

For example, if the total reward is $15000, and there are 15 auditors who find the verified bugs, then the reward for their effort is $15000 * 10% / 15 = $100 for each auditor.

Reward Severity

We reward your findings based on severity and quality. The performance portion (90% of the total reward) will be divided into two pools:

  • Critical/Medium/Low (81%)

  • Informational (9%)

For the definition of severity, please refer to Security Vulnerability Severity: Definition. Feedback on the severity level definition is welcomed!

As the total number of bugs found in each project varies, we define the ratio of earnings between Critical: Medium: Low bugs to be 4: 0.6: 0.4, and Informational bugs are equally divided by the number of findings.

Let's say there are in total of x critical bugs, y medium bugs, z low bugs, and i informational bugs found, the reward pool for each criticality is:

  • Criticalshare = TotalRewards * 81% * 4x / (4x + 0.6y + 0.4z)

  • Mediumshare = TotalRewards * 81% * 0.6y / (4x + 0.6y + 0.4z)

  • Lowshare = TotalRewards * 81% * 0.4z / (4x + 0.6y + 0.4z)

  • Infoshare = TotalRewards * 9%

Empirically, x < y < z << i

Reward Quality of Findings

We value auditors who provide findings that:

  • Are unique (no one else found it)

  • Are in high quality with a clear explanation of root cause (or reproduce logic) and actionable fix plan

Hence, to determine the reward for the quality of the finding, we have 2 layers of calculation:

  1. Within the same findings

  2. Within the same severity level

Within the Same Findings

As we aim to provide trustworthy security audits for projects and a competitive incentive model for auditors, we clearly define the rubrics on how we should evaluate the validity and quality of each bug. After your submission, your findings will be reviewed, and graded on a scale of 0-3:

  • 0: the finding is NOT a bug at all.

  • 1: Only found the bug, but no clear/actionable suggestions or explanations were provided.

  • 3: The finding is correct, and the auditor provided correct and very actionable fix suggestions or explanations.

  • 2: Everything else.

The severity of the bug will also be adjusted during the review. Sometimes people get tied for the final score. We guarantee that people with the same score will earn the same reward.

Within the Same Severity Level

There are cases where the quality of suggestions does not earn 3 points in the metrics. Under this circumstance, we weigh each individual finding by the answers with the highest point:

  • If there exist 3-point findings, reward weight w = 1.2

  • If the highest point of all reported bugs on this finding is 2, w = 1

  • If the highest point of all reported bugs on this finding is 1, w = 0.8

Simply put, if your suggestions are the most concise and actionable ones, you have the potential to earn 50% more than those mediocre suggestions.

Last updated