ReddRadar
Agent skill
bug-bounty
Bug bounty program management and security disclosure expertise for smart contracts. Covers program setup on Immunefi, vulnerability triage, responsible disclosure coordination, bounty payments, and post-disclosure analysis.
Install this agent skill to your Project
npx add-skill https://github.com/a5c-ai/babysitter/tree/main/library/specializations/cryptography-blockchain/skills/bug-bounty
SKILL.md
Bug Bounty/Security Disclosure Skill
Expert management of bug bounty programs and responsible security disclosure for blockchain protocols.
Capabilities
- Program Setup: Configure bug bounty programs on Immunefi and other platforms
- Scope Definition: Define assets, severity tiers, and exclusions
- Vulnerability Triage: Assess and validate security reports
- Responsible Disclosure: Coordinate disclosure timelines and communications
- Bounty Management: Calculate and process bounty payments
- Post-Disclosure: Conduct post-mortem analysis and lessons learned
MCP/Tool Integration
| Tool | Purpose | Reference |
|---|---|---|
| Trail of Bits Skills | Security analysis, property testing | building-secure-contracts |
| Slither MCP | Static analysis for validation | slither-mcp |
| Phalcon MCP | Transaction analysis | phalcon-mcp |
Bug Bounty Program Setup
Immunefi Program Structure
program:
name: "Protocol Name"
website: "https://protocol.xyz"
assets:
smart_contracts:
- type: "Smart Contract"
target: "0x..."
severity: "Critical"
websites:
- type: "Web Application"
target: "https://app.protocol.xyz"
severity: "High"
severity_levels:
critical:
range: "$100,000 - $1,000,000"
description: "Direct theft of funds, permanent freezing"
high:
range: "$10,000 - $100,000"
description: "Theft requiring user action, temporary freezing"
medium:
range: "$1,000 - $10,000"
description: "Griefing, DoS with medium impact"
low:
range: "$100 - $1,000"
description: "Minor issues, informational"
exclusions:
- "Issues in test files"
- "Third-party dependencies"
- "Issues requiring admin key compromise"
- "Front-running issues without significant impact"
Severity Classification
| Severity | Impact | Examples |
|---|---|---|
| Critical | Direct fund loss, protocol takeover | Reentrancy draining funds, access control bypass |
| High | Significant fund loss, protocol disruption | Oracle manipulation, flash loan attacks |
| Medium | Limited fund loss, degraded functionality | Griefing attacks, minor calculation errors |
| Low | No fund loss, minor issues | Gas inefficiency, informational findings |
Vulnerability Triage Workflow
1. Initial Assessment
## Triage Checklist
- [ ] Report is within program scope
- [ ] Vulnerability is reproducible
- [ ] Impact assessment is accurate
- [ ] No duplicate of existing report
- [ ] Not a known issue or design decision
## Initial Classification
| Field | Value |
|-------|-------|
| Report ID | BB-2024-XXX |
| Submission Date | YYYY-MM-DD |
| Reporter | @handle |
| Asset Affected | Contract/URL |
| Initial Severity | Critical/High/Medium/Low |
| Status | Triaging |
2. Validation Process
# Clone and setup test environment
git clone <protocol-repo>
cd protocol
# Create PoC test
forge test --match-test test_VulnerabilityPoC -vvvv
# Run against mainnet fork
forge test --fork-url $MAINNET_RPC --match-test test_VulnerabilityPoC
3. Severity Adjustment
Consider:
- Likelihood: How likely is exploitation?
- Impact: What is the maximum damage?
- Complexity: What resources are needed?
- User Interaction: Does it require victim action?
Final Severity = Base Impact - Mitigating Factors + Aggravating Factors
Responsible Disclosure Process
Timeline
Day 0: Report received
Day 1-3: Initial triage and acknowledgment
Day 3-7: Validation and severity confirmation
Day 7-14: Fix development
Day 14-21: Fix review and testing
Day 21-30: Coordinated disclosure preparation
Day 30+: Public disclosure (if agreed)
Communication Templates
Acknowledgment:
Subject: [BB-XXXX] Report Acknowledged
Dear Security Researcher,
Thank you for your submission to our bug bounty program. We have received
your report and assigned it reference number BB-XXXX.
Our security team is currently reviewing your submission. We will provide
an initial assessment within 3 business days.
Timeline:
- Initial response: 24-72 hours
- Severity assessment: 3-7 days
- Fix timeline: TBD based on severity
Best regards,
Security Team
Severity Confirmation:
Subject: [BB-XXXX] Severity Assessment Complete
Dear Security Researcher,
After thorough review, we have assessed your vulnerability report:
Severity: [CRITICAL/HIGH/MEDIUM/LOW]
Bounty Range: $X - $Y
Fix Timeline: X days
[Details of assessment]
Next Steps:
1. Fix development (ETA: X days)
2. Fix verification with your input
3. Coordinated disclosure discussion
Best regards,
Security Team
Bounty Calculation
Factors
const bountyCalculation = {
baseBounty: getSeverityBase(severity), // Based on tier
adjustments: {
qualityOfReport: 1.0 - 1.5, // Well-documented PoC
impactAccuracy: 0.8 - 1.2, // Accurate impact assessment
firstReporter: 1.0, // First to report
duplicatePartial: 0.0 - 0.5, // Partial duplicate
responsibleBehavior: 1.0 - 1.2 // No public disclosure
},
calculate() {
return this.baseBounty *
this.adjustments.qualityOfReport *
this.adjustments.impactAccuracy *
this.adjustments.responsibleBehavior;
}
};
Payment Process
- Verify Identity: KYC requirements for large bounties
- Payment Method: Crypto (USDC, ETH) or fiat
- Tax Documentation: W-9 (US) or W-8BEN (non-US)
- Confirmation: Receipt and acknowledgment
Post-Disclosure Analysis
Post-Mortem Template
# Security Incident Post-Mortem: [Title]
## Summary
- **Date Discovered**: YYYY-MM-DD
- **Date Fixed**: YYYY-MM-DD
- **Severity**: Critical/High/Medium/Low
- **Bounty Paid**: $X
## Root Cause
[Detailed explanation of the vulnerability]
## Timeline
| Time | Event |
|------|-------|
| T+0h | Report received |
| T+2h | Triage complete |
| T+24h | Fix developed |
| T+48h | Fix deployed |
| T+168h | Public disclosure |
## Technical Details
[Code snippets, attack vectors, affected functions]
## Fix Implementation
[How the issue was resolved]
## Lessons Learned
1. [Lesson 1]
2. [Lesson 2]
3. [Lesson 3]
## Process Improvements
- [ ] Improvement 1
- [ ] Improvement 2
Process Integration
This skill integrates with:
bug-bounty-program.js- Full program management processincident-response-exploits.js- Exploit response coordinationsmart-contract-security-audit.js- Pre-launch security review
Immunefi Best Practices
Program Configuration
- Clear Scope: List all in-scope assets with addresses
- Realistic Bounties: Competitive with market rates
- Response SLA: Commit to specific timelines
- Safe Harbor: Protect researchers acting in good faith
Common Issues
| Issue | Solution |
|---|---|
| Slow response | Set up triage rotation, clear escalation |
| Scope disputes | Pre-define edge cases in program terms |
| Severity disagreements | Use CVSS scoring, document rationale |
| Payment delays | Pre-fund bounty pool, streamline KYC |
Security Advisory Format
GitHub Security Advisory
## Summary
[Brief description]
## Severity
[CVSS Score] - [Critical/High/Medium/Low]
## Affected Versions
- >= 1.0.0, < 1.2.3
## Patches
Fixed in version 1.2.3
## Workarounds
[If applicable]
## References
- [Link to fix PR]
- [Related documentation]
## Credits
Thanks to @researcher for responsible disclosure
See Also
agents/incident-response/AGENT.md- Incident response expertsmart-contract-security-audit.js- Security audit processreferences.md- Security disclosure resources
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
a5c-ai/babysitter
gsd-tools
Central utility skill for GSD operations. Provides config parsing, slug generation, timestamps, path operations, and orchestrates calls to other specialized skills. Acts as the unified entry point that the original gsd-tools.cjs provided via its lib/ modules (commands, config, core, init).
a5c-ai/babysitter
model-profile-resolution
Resolve model profile (quality/balanced/budget) at orchestration start and map agents to specific models. Enables cost/quality tradeoffs by selecting appropriate AI models for each agent role.
a5c-ai/babysitter
verification-suite
Plan structure validation, phase completeness checks, reference integrity verification, and artifact existence confirmation. Provides the structured verification layer ensuring GSD artifacts are well-formed and complete.
a5c-ai/babysitter
state-management
STATE.md reading, writing, and field-level updates. Provides cross-session state persistence via .planning/STATE.md with structured fields for current task, completed phases, blockers, decisions, and quick tasks.
a5c-ai/babysitter
git-integration
Git commit patterns, formats, and conventions for GSD methodology. Provides atomic commits per task, structured commit messages, planning file commits, branch management, and milestone tag operations.
a5c-ai/babysitter
frontmatter-parsing
YAML frontmatter parsing and manipulation for .planning/ documents. Provides read, write, update, query, and validation operations on frontmatter blocks in GSD markdown artifacts.
Didn't find tool you were looking for?