A Warm Welcome to You

TrustlessDAO explores how minimal smart contracts, combined with structured off-chain processes, can enable effective peer-to-peer agreements in Web3. Our initial focus is on vulnerability disclosures outside official bug bounty programs.

What We've Built

IndependentDisclosure is a streamlined system that helps security researchers safely disclose vulnerabilities to protocols, even when no official bug bounty program exists. It combines:

A simple smart contract that records key commitments.
A standardized private GitHub repository structure for secure communication.
Clear procedures that protect both parties through transparency.

Quick Overview

In the following chapters, you'll learn:

Why vulnerability disclosure outside bounty programs is challenging.
How IndependentDisclosure protects both researchers and protocols.
Practical steps to start using the system today.

Whether you're a security researcher who has found a vulnerability or a protocol representative who has been contacted about one, you'll find clear, actionable information here.

Started in October 2024, TrustlessDAO is actively developing and improving these tools. Follow our progress on Twitter and GitHub. We'd love your feedback, our DMs are open.

The Problem

Most Web3 security researchers limit their work to projects with official bug bounty programs. This creates a dangerous imbalance:

White-hat researchers focus only on bounty-covered code.
Black-hat hackers target everything.
Many protocols remain under-examined by friendly researchers.

The Disclosure Challenge

When researchers find vulnerabilities in protocols without bounty programs, they face a difficult decision:

Share the vulnerability details upfront and hope for fair compensation.
Keep the information private, leaving protocols vulnerable.

Neither option benefits the ecosystem. Researchers who disclose often provide valuable insights without receiving fair compensation, while protocols miss critical opportunities to address vulnerabilities due to withheld reports.

What's Needed

A straightforward system that:

Allows researchers to protect themselves when they share valuable information.
Gives protocols confidence in the disclosure process.
Creates clear evidence of all commitments.
Enables fair compensation for meaningful discoveries.

The next chapter explains how IndependentDisclosure delivers these protections through minimal yet effective mechanisms.

IndependentDisclosure

TrustlessDAO offers a public template repository designed to create a structured and secure environment for vulnerability disclosure. The repository includes:

README.md: Comprehensive process documentation
report.md: Template for vulnerability details
initial-terms.md: Researcher's suggested terms
authorization.md: Protocol's formal commitment
protocol-assessment.md: Protocol's validity assessment
final-terms.md: Agreed settlement terms

Why This Works

The template's structure promotes good faith participation through clear, balanced incentives:

Balanced Control
- Researchers manage initial information sharing.
- Protocols control the validity assessment.
- Final terms require mutual agreement.
Verifiable Evidence
- All interactions are documented in the repository.
- The smart contract records key commitments on-chain.
- Any bad faith actions are provable without exposing vulnerabilities.
Public Accountability
- Either party can easily demonstrate bad faith to the community.
- Clear evidence of good faith is straightforward to present.
- A lack of evidence implies bad faith.
- Reputational stakes incentivize honest behavior.

Using IndependentDisclosure

Practical guidance is available for both parties:

For Researchers: How to initiate and manage a disclosure.
For Protocols: What to expect and how to participate.

Each guide provides step-by-step instructions tailored to the specific roles of researchers and protocols in the process.

For Researchers

IndependentDisclosure is a simple smart contract designed to be combined with carefully structured off-chain processes to enable effective and fair peer-to-peer vulnerability disclosure.

Git Safety Tips

Important Warning: If you ever receive errors or warnings when trying to push or pull changes during the disclosure process, STOP and examine the repository on GitHub before proceeding. Messages about "non-fast-forward" updates or divergent histories could indicate that someone has rewritten the repository history, potentially modifying terms or commitments maliciously. Never use --force with git commands unless you fully understand the implications. Your local copy serves as proof of the original history.

While history modification is considered a very unlikely event (as it's easily detectable bad faith that immediately kills the deal), maintaining a local copy provides simple but robust protection against such attempts. We describe how to do so below.

Phase 1: Create Report and Begin Contact Attempts

Finalize the vulnerability report locally, then begin reaching out to the affected protocol through all available private channels (Discord, email, Telegram, etc.). Document these attempts thoroughly.

Phase 2: Make Disclosure (Best Case Scenario)

Once contact is established, start by sharing details of the peer-to-peer disclosure process to set clear expectations for the protocol. TrustlessDAO's protocol guide can be used for this.
Clone the IndependentDisclosure repository template provided by TrustlessDAO to your GitHub account as a private repository.
- TrustlessDAO is not notified when the public template is used.
Deploy an IndependentDisclosure contract and call the setCommitHash function, passing the initial commit hash of the private GitHub repository created in the previous step.
Edit your repository's initial-terms.md file to add your terms. Initial terms are suggestions for the protocol; only final terms are binding.
Update your repository's report.md file to include the full vulnerability report.
- These steps establish a provable timestamp of your discovery, ensuring that anyone intercepting or receiving the disclosure details from you cannot falsely claim they found it first.
If you haven't already created a local backup of your repository:
```
git clone <your-private-repo-url> local-backup
```
This local copy provides evidence if the protocol attempts to modify history later.
Invite protocol representatives to the repository and direct them to the "Protocol Action Items" section of the README, which summarizes their required actions.
Wait for the protocol to update the protocol-assessment.md file with their response.
- Bad-faith negotiation tactics, such as disregarding an agreed-upon waiting period, can be exposed at any time by either party. This can be done without revealing disclosure details and will be judged by the court of public opinion.
Once the protocol updates protocol-assessment.md, sync your local copy:
```
git pull origin main
```
This ensures you have proof of their original assessment.
The protocol's assessment should be considered binding. Each response dictates a distinct path:

Status	Implications
`Confirmed`	Initiates the extended timeline for settlement/mitigation. The protocol should proceed to complete authorization.md.
`Non-Issue`	Grants immediate permission to go public with the full report.
`Won't-Fix`	Indicates acknowledgment. If the protocol prefers the issue remain private, negotiate a fair confidentiality price. If no timely settlement is reached, permission is granted to make the report public.

Once authorization is complete, call the setParticipant function on the IndependentDisclosure contract with the specified wallet address. Proceed to collaborate with the protocol to agree on final terms.

If needed, remind the protocol to DM the commit hash for the authorization from their official Telegram or Twitter. This ensures commitment authenticity.

After final terms are agreed, sync your local copy one last time:
```
git pull origin main
```
This ensures you have proof of the final agreed terms.
The disclosure process is now complete. If the report was not confirmed, periodically check the protocol's deployed contract for fixes.
- If a fix is implemented without prior agreement, present the case for payment to the court of public opinion, citing verifiable on-chain evidence from the disclosure process.

Note: TrustlessDAO's Arbiter system will streamline the process of resolving disputes in cases of on-chain dishonesty or bad faith.

Alternative Phase 2: Protocol Cannot Be Reached (Worst Case Scenario)

Note: TrustlessDAO is implementing solutions to minimize this scenario. For now, researchers must use their judgment on how to proceed.

If the protocol does not respond to your contact attempts, consider a gradual disclosure process. The primary goal is to establish communication, not to disclose full details immediately. Once communication is established, the protocol assumes control.

Disclosure Stages:

Chain ID: e.g., "Vulnerability on Ethereum mainnet."
Vulnerability Category: e.g., "Access control in governance."
Impact Description: e.g., "Unauthorized admin control."
Technical Preview: e.g., "Timelock validation issue."
Protocol Name
Full Report

Another approach is to gradually disclose to individuals indirectly associated with the protocol (e.g., investors, contributors, or known security teams). Document these attempts and their results. Start with Protocol Name + Chain ID as the first stage to assess their willingness to help.

If the protocol begins engaging in good faith, pause the gradual disclosure process and transition to Phase 2: Make Disclosure (Best Case Scenario).

Recourse and Evidence

If either party fails to honor the agreed terms:

Present evidence from GitHub repositories and the on-chain contract publicly.
Use the contract’s state transitions and Git commit history as immutable proof of the disclosure process and commitments.
Leverage the court of public opinion by presenting the most compelling, verifiable evidence.

By using IndependentDisclosure, you maintain leverage through controlled information disclosure while creating a clear evidence trail. This process encourages good-faith participation from protocols and provides a fair resolution path for disputes.

For Protocols

IndependentDisclosure is a peer-to-peer vulnerability disclosure framework that combines smart contracts with carefully structured off-chain processes to enable fair and transparent security disclosures.

Git Safety Tips

Phase 1: Initial Contact

A security researcher has identified a potential vulnerability in your protocol and intends to disclose it responsibly. Here's what to expect:

The researcher will contact you through available private channels (e.g., Discord, email, Telegram).
They will share this guide to explain the peer-to-peer disclosure process.
They will have already deployed an IndependentDisclosure smart contract and created a private GitHub repository based on this template.

Phase 2: Accessing the Disclosure

When you're ready to proceed:

The researcher will invite you to their private GitHub repository.
Inside the repository, you'll find the following key files:
- report.md: Contains the full vulnerability details.
- initial-terms.md: Contains the researcher's suggested terms.
- protocol-assessment.md: Where you will provide your assessment.
- README.md: Contains complete process documentation.
Create a local copy of the repository:
```
git clone <private-repo-url> local-backup
```
This backup protects you against potential history modifications.
Review the report and initial terms carefully. The initial terms are non-binding suggestions and can be negotiated.

Phase 3: Assessment

Before submitting your assessment:

Sync your local copy to ensure you have the latest version:
```
git pull origin main
```
This pull ensures you have evidence of the original disclosure and terms.

You have full control over assessing the validity of the disclosure. Your assessment options are:

Status	What it means	Implications
Confirmed	You acknowledge the vulnerability	- Initiates timeline for settlement/mitigation - You'll need to complete `authorization.md` - Maintains confidentiality during fix.
Non-Issue	You determine it's not a vulnerability	- Researcher can publish the report immediately. - No further action required.
Won't Fix	You acknowledge but won't address it	- Negotiate confidentiality terms if privacy is desired. - If no settlement is reached, the researcher can publish.

Important Notes About Assessment:

The suggested timeframe for assessment is 24–72 hours.
If you require additional time, provide evidence to justify the extension.
Your assessment is considered binding once submitted.
Bad-faith negotiation tactics can be publicly exposed by either party.

Phase 4: Authorization (If Confirmed)

If you confirm the vulnerability:

Complete the authorization.md file in the repository.
Send the commit hash from your official Twitter/Telegram account to the researcher.
- This ensures the authenticity of your commitment.
The researcher will add your specified wallet address to the smart contract.
Collaborate with the researcher to agree on settlement terms in final-terms.md.
After final terms are agreed, sync your local copy one last time:
```
git pull origin main
```
This ensures you have proof of the final agreed terms.

Evidence and Transparency

The IndependentDisclosure process creates an evidence trail that protects both parties:

The smart contract records key events and commitments on-chain.
The GitHub repository preserves all communication and agreements.
Your local copy of the repository is crucial evidence. Git will warn you if the other party attempts to modify history, requiring a force-pull to accept their changes. These warnings are your signal that bad faith actions may be occurring. You can prove this by sharing your local copy, which contains the original unmodified history.
Commit hashes serve as timestamps without exposing sensitive vulnerability details.
Either party can prove bad faith using the evidence trail.

This transparency encourages good-faith participation while maintaining confidentiality during the disclosure process.

Recommendations for Success

Respond Promptly: Aim to acknowledge receipt within 48 hours.
Communicate Clearly: Use the GitHub repository for all disclosure-related communication.
Be Professional: Treat the disclosure process as a collaborative effort.
Document Everything: Ensure all relevant communication is recorded in the repository.
Honor Commitments: Assessments and agreements are binding.

Contact Information

For questions or concerns about the IndependentDisclosure process:

Contact the researcher directly through the communication channels they provided.
Alternatively, reach out to a TrustlessDAO representative. Our DMs are open, and we aim to respond within 24 hours.

Thank you for participating in responsible security disclosure. Your cooperation helps make the ecosystem safer for everyone.

Making Honesty Practical

The challenge of building peer-to-peer systems isn’t just identifying honest and dishonest participants—it’s creating an environment where honesty becomes the most practical choice for everyone. IndependentDisclosure accomplishes this through thoughtful system design that leverages basic human psychology.

The Power of Being Watched

People behave differently when their actions are visible. This phenomenon, known as "The Hawthorne Effect", is something we encounter daily:

Drivers slow down near traffic cameras.
Students are more likely to attend classes when attendance is tracked.
Employees arrive on time when check-ins are required.

This effect doesn’t rely on coercion; it works because visibility naturally encourages people to align their behavior with expectations. IndependentDisclosure taps into this effect by creating visibility through its public repository structure and on-chain contract states.

From Observation to Evidence

IndependentDisclosure doesn’t stop at observation—it establishes permanent, verifiable records of both intentions and actions:

The GitHub repository captures all communication and updates.
The smart contract timestamps key commitments.
Commit hashes provide cryptographic proof of document integrity.
Public interactions generate a clear evidence trail.

This durable record shifts the stakes. Dishonesty isn’t just about avoiding detection in the moment—it’s about the long-term consequences of leaving a permanent, verifiable trail that could harm future trust and opportunities.

Minimizing Dishonesty

By combining visibility with evidence, IndependentDisclosure creates an environment where:

Empty promises carry significant reputational costs.
Deceptive behavior involves high risks.
Honest dealings safeguard trust and credibility.
Good faith participation is both encouraged and rewarded.

The goal isn’t to make dishonesty impossible—it’s to make honesty the easiest and most beneficial path, even for participants who might otherwise act dishonestly.

Why This Matters

In vulnerability disclosure, trust is paramount. By making honesty practical instead of merely expected, IndependentDisclosure ensures:

Researchers can safely share critical findings.
Protocols can confidently engage with disclosures.
Both parties maintain appropriate leverage and accountability.
The ecosystem benefits from increased transparency and trust.

This system doesn’t enforce honesty, it incentivizes it. By aligning personal goals with honest behavior, IndependentDisclosure creates a framework where trust thrives and participants can achieve their objectives effectively and collaboratively.

A Better Playing Field

IndependentDisclosure establishes a unique environment for security research and vulnerability disclosure. By removing unnecessary constraints while upholding accountability, it enables more effective security research that benefit the entire ecosystem.

Freedom with Responsibility

This system empowers researchers with greater flexibility while ensuring responsible engagement:

Broad Scope: All assets are in scope, researchers can investigate without restrictions.
Flexible Timelines: Work progresses at the researcher’s pace.
Direct Interaction: No platform-imposed terms or middlemen, engage directly with protocols.
Built-in Accountability: Evidence and transparency ensure fair and honest participation.

This freedom doesn’t compromise responsibility. Instead, transparency promotes good faith participation while preserving leverage for all parties involved.

Leveling the Playing Field

Currently, most researchers only examine the limited scopes set by protocols on defined contest and bounty platforms.

Meanwhile, malicious actors:

Investigate everything without limitations.
Face no rules or restrictions.

IndependentDisclosure levels this playing field. It allows ethical researchers to operate with the same freedom as their black-hat counterparts, while maintaining transparency and ethical standards through structured processes.

Cooperation as a Winning Strategy

The system creates conditions where cooperation becomes the most practical approach for both parties:

Both Parties Honest → Quick resolutions, mutual benefit.
One Party Dishonest → Verifiable evidence exposes misconduct.
Both Parties Dishonest → Process breaks down, and both lose.

This isn’t about blind trust—it’s about designing a system where honest cooperation is the most beneficial and efficient path for all participants.

Beyond Platforms

The key innovation isn't decentralization—it's removing the need for trusted intermediaries while maintaining accountability through transparency. The smart contract's role is more about timestamping and state tracking than replacing traditional platforms.

The result is a more efficient environment for security research that naturally favors honest behavior and fair settlements, benefiting both researchers and protocols through clearer accountability and better incentive alignment.

Vision and Next Steps

While IndependentDisclosure already provides a functional framework for peer-to-peer vulnerability disclosure, our vision extends beyond the current implementation. We're working to make this process not just possible, but the preferred choice for both researchers and protocols.

Immediate Goals

Vulnerability Valuation

Our next milestone is to develop a tool that helps both parties arrive at fair compensation range suggestions for specific vulnerability classes given circumstances like funds at risk:

Structured Frameworks: Guidelines for justifying suggested payment ranges for specific disclosures.
Data-Driven Insights: Leveraging data to create transparent valuation models.

Protocol Outreach

We’re focused on raising awareness among protocols about the advantages of this approach:

Cost-Free Implementation: No upfront or ongoing costs for protocols.
Expanded Research Base: Broader access to security researchers.
Transparent Processes: Evidence-based interactions.
Freedom from Lock-In: No dependence on centralized platforms.

Future Development

Arbiter System

We’re developing a dispute resolution system to handle conflicts fairly and transparently:

Evidence Review: Assess inputs from the disclosure process.
Transparent Verdicts: Issue rulings based on clear, objective criteria.
Reputation Penalties: Apply on-chain consequences for bad faith actions.
Precedent Creation: Establish guiding cases for future disclosures.

Process Enhancements

We’re continuously improving the user experience to ensure smoother adoption:

Streamlined Workflow: Simplify every step of the process.
Friction Reduction: Eliminate barriers for both parties.
Enhanced Documentation: Provide clear, actionable guides.
Advanced Tooling: Develop intuitive tools to facilitate participation and successful negotiations.

The Long-Term Vision

Our ultimate aim is to make peer-to-peer vulnerability disclosure the norm. Indicators of success include:

Widespread Adoption: Direct disclosure becomes a common practice.
Simplicity: Processes as user-friendly as traditional approaches, or better.
Standards of Good Faith: Clearly defined and widely accepted expectations.
Improved Security: Tangible benefits for the entire Web3 ecosystem.

IndependentDisclosure is just the foundation. We are committed to evolving and expanding this system until direct disclosure is the default choice for researchers and protocols alike. We hope you will join us on this journey.