- GitHoney is a dApp developed by TxPipe providing a mechanism to tie specific tasks in a github project's repository (eg. Issues) to bounties
- The currently implemented simple workflow is the following:
- Maintainers create a set of bounty tokens, locked into a smart contract, with some amount of Ada attached
- A contributor can "claim a bounty" on-chain, attaching some wallet/address id to the bounty for future reward
- The maintainer can either close the bounty, reclaiming the attached reward, or "merge" it, delivering the reward to the contributor
- More details available in the docs
- There's an off-chain "oracle" that ties into the GitHub API and drives the bounty claims:
- When a PR fixing the Issue is merged, it unlocks the reward
- If no merging happens after some predefined timeout, the bounty is closed
- githoney.io runs an instance of the off-chain part of the dApp but it is essentially a protocol hence can be hosted by anyone
- the oracle/off-chain could be tailored to specific other needs
- There are plans to implement bug bounty but nothing concrete yet
- Gaps to support use OSC's bug bounty program use case:
- bounty is not attached to a specific issue but is triggered by contributor's reporting a vulnerability
- multiple bounties can be active at the same time
- the prize attached to a bug bounty is variable
- timeout can lead to the bounty being delivered if the maintainers are not respecting "SLA" as defined by security policy
- payment can be triggered by something else than merging PR as the patching can be deferred
Created
August 2, 2025 07:38
-
-
Save abailly/51d335772465bbd1b82bf859b242758f to your computer and use it in GitHub Desktop.
Using githoney.io as bug bounty platform
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment