Will the incentive for new vulnerability discoveries, the award, or the amount of tokens to be gained, be consistent with the complexity of the vulnerability encountered?
The amount of tokens Secure Planet awards to contributors will vary depending on each individual case.
Two major factors will determine the amount of awarded tokens. They are as follows:
- Popularity of the open source software containing the vulnerability - the higher the usage and/or adoption rate of the open source project, the higher the token amount
- Vulnerability severity ranking - the more critical the vulnerability, the higher the token amount
Who decides whether a discovered vulnerability is severe or not? That's a process that can hardly be judged highly objectively. What does the scale for the ranking look like?
The severity of the security vulnerabilities, like the reporting of vulnerabilities themselves, will be determined through a crowdsourced voting process. Voting will take place for ten days and contributors must vote for one of two outcomes: 1) yes, the vulnerability is accurate and should be included in the database, or 2) no, the vulnerability not accurate and should be rejected from the database.
The Yes voters must also assign the Vulnerability Score using the CVSS calculator at
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L. Their submissions will be averaged out to derive the official Vulnerability Score.
Once Secure Planet reveals the majority vote, the verifiers who voted on the winning outcome will be rewarded with SPX and Rep Tokens. Verifiers who chose the losing vote will lose Rep Tokens and receive no SPX.