Bug bounty

A program that pays security researchers for disclosing vulnerabilities responsibly.

A bug bounty program pays ethical hackers to find and report vulnerabilities through responsible disclosure rather than exploit them publicly. Web3 bug bounties run mainly through Immunefi, with payouts scaling from $5K for low-severity bugs to over $10M for critical findings on large-TVL protocols.

A bug bounty without significant payout caps is mostly theater. A $50K max bounty on a $5B TVL protocol implies the team values their own assets less than a serious researcher's time. Onyx weights bounty size against TVL when scoring.