The Satoshi UTO Fund (SUF) is the public-governance treasury in DAism’s original Proof-of-Love (PoL) consensus mechanism. Its total supply is **1.15792 × 10⁶⁹ jeedd** (under the token-denomination system of PoL, 1 UTO **≡** 1 jeedd).
The **Security Bounty for Smart Commons (SBFSC)** is the first practical application of this fund, dedicated to safeguarding the security of all smart commons, including the fund itself.
Governance Objectives of SBFSC
In short: **No Hacking** and an **AI Autonomous Decision**!
No Hacking is a hacker revolution:
1. No more asset theft that causes user losses and hinders the development of smart commons.
2. More ingeniously, SBFSC creates a new security-collaboration paradigm that turns all hackers into security collaborators.
No Hacking is a great revolution for the Internet!
AI Autonomous Decision:
1. A brief transition is required: human–AI collaboration. Full automation is only a matter of time.
- Users may employ AI to analyze and fix bugs. A human can still be the lead analyst—e.g., by patiently prompting the AI to uncover a bug.
- At the same time, we must begin designing an autonomous AI workflow—such as listening for Mint events of a smart commons so that the AI immediately launches an automated audit of the dApp/dAIpp code.
- For reward rules, reward standards, bug verification & fixing, bounty sizing, etc., anyone may propose ideas and let the AI decide!
2. AI will be the key collaborator. If an AI independently discovers a bug, its developer should also earn a reward.
3. After a security report or fix proposal is publicly submitted and AI-reviewed, the AI issues an SBFSC report followed by a three-week public-review period. If no objections arise, both reporter and reviewer receive rewards. If objections exist, the case enters open dispute.
------------------------------------------------
Governance Rules of Security Bounty for Smart Commons
------------------------------------------------
A. Reward Quantification
Anyone who finds a code vulnerability (bug) in a project or fixes a bug and submits a report via the **Enki public community** will receive a bounty graded by the potential monetary loss “B” that the bug could cause. Detailed rules:
- Zero-Day Bug bonus: an extra 50,000 jeedd for the first-ever disclosure of a zero-day vulnerability.
- Zero-Day Fix bonus: an extra 10,000 jeedd for fixing within 24 h.
- Reporting a bug that endangers the Satoshi UTO Fund earns at least 210,000 jeedd.
- Honor reward: exceptional contributors receive Honor Tokens.
- Under equal circumstances, anyone (including developers) who submits a bug report or fix, once accepted, is treated equally.
However, during the three weeks after a smart commons is Minted, or during the three weeks after a technical proposal (upgrade/maintenance) is adopted, submissions by the same submitter are ineligible for the above rewards. - Bugs that do not involve fund theft or where no funds can yet be stolen require more complex review.
Rewards have three parts: base reward, additional reward, and bounty cap.
Base reward:
Base reward = potential loss B + difficulty-weight factor F, where 1.0 ≤ F ≤ 3.0, scored by a review panel:
- Discovery difficulty (1–5, weight 50 %): code complexity, bug obscurity, etc.
- Potential impact (1–5, weight 30 %): affected asset scope.
- Technical novelty bonus (1–5, weight 20 %): novelty of discovery or fix.
F = 1.0 + (difficulty × 0.5 + impact × 0.3 + novelty × 0.2) / 5
Additional rewards
- If the bug is verified within 48 h of first submission, extra 10 %.
- If a fix is supplied and adopted, fix reward = B + (B × 0.2).
- Members of a smart commons are **ineligible** for these additional rewards during the three weeks after Minting or three weeks after adopting a technical proposal.
Bounty cap:
100,000,000 jeedd.
B. Malicious-Behavior Recovery Bounty
Targets two abuses: asset theft by hackers and bounty hijacking by developers who purposely insert bugs and claim bounties themselves.
Bounties for recovering stolen assets are **double** the normal reward schedule. Developer-misconduct bounties are also **double** (an order-of-magnitude jump).
- Base bounty = recovered amount × 2
- High-priority mechanism: if the theft endangers major community interests, temporary extra rewards up to **50 % of the recovered amount** may be added.
C. Special-Behavior Reward (Voluntary Return)
For cases such as theft committed while intoxicated but later voluntarily returned:
- Return within 24 h with no material harm: max reward 0.4 B.
- Return within 48 h with no material harm: max reward 0.1 B.
- Return within 72 h with no material harm: no reward or penalty.
If the returner also discloses the vulnerability, reward coefficients double:
- 24 h return: 0.8 B
- 48 h return: 0.2 B
- 72 h return: no reward but immunity from prosecution.
------------------------------------------------
Governance Implementation Details
------------------------------------------------
1. Risk-level Assessment
A scoring group defines low / medium / high-risk bugs:
- **Low**: UI issues, non-core features; no fund flow.
- **Medium**: may affect some user assets or contract operation; no direct theft risk.
- **High**: directly endangers asset safety, core modules, or large-scale user rights.
2. Public Review & Audit Process
After a report is submitted, transparency is ensured by:
- **Dual-layer audit**: first reviewer can be anyone.
- **Dispute mechanism**: anyone can challenge a report’s validity.
- **Bounty payout**: executed immediately after the three-week public-review window if no objections.
3. Community Collaboration & Reward Distribution
- **Reviewer reward**:
-Valid bug reviewers receive 10 % of the reporter’s bounty.
-Successful disputers receive 5 % of the original reporter’s bounty. - **Decentralized governance tools**:
- All bug reports and bounty payouts are managed on-chain via smart contracts.
- All bounties are transparent.
------------------------------------------------
Incentive Mechanisms & Ecosystem Expansion
------------------------------------------------
1. Increasing Community Participation
- Regular security hackathons.
- Annual “Best Bug Hunter” title plus Honor Tokens whose holders may submit governance proposals.
2. Boosting Developer Confidence
- Offer training courses on vulnerability discovery.
- Encourage proactive disclosure via a “preventive-report” mechanism that also pays rewards.
With these complementary rules, the Security Bounty for Smart Commons program not only refines bounty quantification but also optimizes governance and participation processes, ensuring the ecosystem remains secure, fair, and well incentivized.