Background: Nyzo has benefited immensely from a distributed, decentralized development group comprising both the core developers and many others that have contributed important security and usability fixes to the project. Before the institution of the cycle account fund (https://nyzo.co/cycleFunding), these issues have been funded directly by generous donations from the development team (Example of bounty payments: https://nyzo.co/releaseNotes/541). As the custodians of the cycle fund, the mesh as a whole should be obligated to fund continuing development.
Update 2019-11-14: Due to feedback from multiple users, development incentives and expenses for the core Nyzo Dev Team will be separated into NCFP-3 (Development Incentives and Operating Expenses for the Nyzo Dev Team, legacy) and NCFP-4 (Recurring Development Incentives and Operating Expenses for the Nyzo Dev Team). NCFP-2 will be intended for 3rd-party development of the Nyzo blockchain. For those matters, please comment on the appropriate topics.
Proposal: This will be a recurring proposal. Subproposals will be designated NCFP-2.1, NCFP-2.2, etc.)
The proposal would work roughly as follows:
Submission phase: Anyone is able to submit completed development work for consideration of funding. Projects are listed without consideration of funding amount. This phase will typically take a few weeks. Recurrent funding for an existing project (e.g. the core dev team) will be indicated as such.
Funding phase: All submissions for the previous phase are locked. New submissions of course can be made, but will go into the next NCFP-2.x subproposal.
Submissions for the previous phase will be assigned bounty values following discussion on forum.nyzo.community, using the guidelines originally proposed by @nyzo. These guidelines should be subject to change after community discussion (ed: where?) if the underlying token fluctuates significantly in value.
If you find bugs and report them to us, we will reward you with coins through our bounty program. The reward for stability issues starts at ∩10,000, and the reward for security issues starts at ∩50,000. Rewards increase according to the severity of issues and quality of the report. We reserve the right to determine reward amounts, and our judgment on reward amounts is final. We also reserve the right to change minimum reward amounts or discontinue this program at any time without advance notice. There is no pre-determined limit on the amount of an individual reward, but all rewards over ∩100,000 will be announced when the first payment is made and divided into weekly payments of no more than ∩100,000 each (∩100,000 is 0.1% of all coins in the system, so it is a lot of coins).
In short, stability issues and features should be funded starting at ∩10,000, and security issues at ∩50,000. For critical security issues, responsible disclosure will be used. The rules for responsible disclosure will roughly parallel those of BitPay (https://support.bitpay.com/hc/en-us/articles/204229369-Does-BitPay-have-a-bug-bounty-program-), namely:
- Adhere to the Responsible Disclosure Policy above
- Do not attempt to gain access to another user’s account or information (use your own test accounts)
- Report only original and previously undisclosed bugs
- Do not disclose a bug publicly before it has been fixed
- Do not use scanners or automated tools to find bugs
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
- Do not attack the reliability or integrity of our services (e.g, no DDoS attacks, blackhat SEO techniques, spamming, or similar questionable acts)
Similarly, certain classes of bugs are excluded from the bounty program, namely:
- Software packages not produced by the @nyzo core team
- Domains hosted by third parties
- Nyzo-branded services operated by third parties
- Nyzo projects outside the scope of the nyzo github (github.com/n-y-z-o)
- Nyzo domains or services operated by third parties (e.g. merchants, exchanges, etc.)
Critical security issues should not be posted in this forum, and instead should be directly disclosed to @nyzo or a forum/discord moderator. Upon the sole discretion of @nyzo or a forum/discord moderator, disclosure of the issue will be permitted on forum.nyzo.community as appropriate.
At the end of this phase, transactions from the cycle account to accounts designated by accounts held by developers will be made. Using an Agent would be optional.
Voting phase: All submissions and funding amounts are locked, and cycle transactions have been sent (anyone can do this, but generally it’s probably preferable for community members with more experience to set up the transactions). A suitable block height is chosen. The mesh votes on the proposal.
Chief risks and mitigation: To be completed for subproposals.
Certification: Posting of this proposal on forum.nyzo.community should be considered as authoritative. Subproposals will be certified separately.