Yes, that's the good with being open-source, but I hope you acknowledge how ridiculous it now sounds to claim that it is completely resistant to Sybil attacks and how absolutely invulnerable the client is. All these assertions were just invalidated with this recent report.
My claims about to protocol hold true, but I've never claimed that clients implementing the protocol are bug free. There's plenty of bugs in Wasabi, and Github is used to track their priority.
I'd be interested in this. How much are you willing to pay? And define "serious bug".
Since I'm not a programmer, I'm unable to identify or verify code level bugs, I can only test reproducible bugs. As such, I don't want to misalign incentives and push the burdens of bounty verification to the developers who are maintaining the project.
For general guidelines, if the bugged scenario requires users to change multiple defaults to trigger it, it's less likely to be high priority for fixing or a high value bounty. However, these classes of bugs should be straightforward and worthy of bounties:
Critical:
2.5m sats - Bugs that allow remote theft of funds
1m sats - Bugs that cause funds to be destroyed
Privacy:
500k sats - Bugs that reveal clearnet IP instead of Tor (when performing an action tied to your coins)
- Bug fixes or design changes that optimize privacy
with no additional tradeoffs involved may be awarded bounties on a case by case basis
Graphical:
- No bounty for discovery, bounties may be awarded for PRs that fix UI bugs on a case by case basis
Any critical bugs should not be reported to me- they should be disclosed privately to the maintainers.