A bug bounty is a program, usually run via a platform like Immunefi, HackenProof, or Code4rena, that pays cash rewards to security researchers who privately disclose vulnerabilities.
For DeFi, bug bounties are the third leg of a serious security posture, after audits and continuous monitoring. They cover the cases audits miss: reviewers who would never have been hired by your firm, time horizons longer than a 4-week audit, and economic incentives aligned with disclosure rather than exploitation.
A serious program has:
- A scope statement listing what's in and out.
- A severity matrix (e.g., Immunefi's classification system) tying impact to payout.
- Payout sizes proportional to the value at risk, a $50k cap on a protocol holding $500M of TVL is not a credible deterrent.
- A defined response SLA for triage, payout, and disclosure.
The largest bounties paid in DeFi history have been seven and eight figures, and almost always saved more than they paid.