Zero Day Vulnerability

First, a couple of disclaimers.

1. I am not a developer, before this incident that I am going to talk about, I didn't know about Zero Day Vulnerability
2. I am a major stakeholder both and Hive and Splinterlands, and I deeply care about both ecosystem and I also recognize that they are inseparable
3. I am good at research, these days with internet, most people can be

Therefore, if I don't know something, it is not hard to at least get some basic familiarity on the subject. I am obviously no expert on it, but there are other who are completely clueless about this and they do read this sometimes. Also this is my blog, so I treat it like my journal and this topic is on my mind right now, so I am going to write about it.

Source

What is a Zero‑Day Vulnerability?

A zero‑day vulnerability is a security flaw in software, hardware, or firmware that is unknown to the vendor or developers and has no available patch at the time it is discovered or exploited.

• The term “zero‑day” means developers have had zero days to fix the problem before it is used in an attack.
• Because no fix exists yet, attackers can exploit it before defenders can prepare, making it especially dangerous.

Origin of the Term "Zero Day"

In early computing, “zero day” referred to the number of days since software was released. The term became popular in the 1990s piracy (warez) community. Pirated software was categorized by “age”:

• 30‑day (released 30 days ago)
• 100‑day (older software)
• Zero‑day (brand new or pre-release)

The most valuable category was:

• “Zero‑day” → software cracked and distributed immediately (or before official release)

The Defender's Dilemma

Lot of what I learned the topic is from the report titled The Defender's Dilemma, which I felt is a good resource. It talks about Cyber security in general. The report argues that cybersecurity is an ongoing economic and strategic “arms race” between attackers and defenders, where:

• Costs are rising rapidly
• Effectiveness is uncertain
• Attackers may be gaining the advantage

The real goal is not perfect security, but:

minimize (security spending + expected losses from attacks)

Organizations:

• Can measure what they spend
• Cannot easily measure what attacks were prevented

This leads to inefficient or misaligned security investments. In other words, security is fundamentally an economic trade-off problem, not just a technical one.

There is the structural imbalance between attackers and defenders. Attackers operate with a clear advantage: they only need to find a single vulnerability, while defenders must secure every possible entry point. Moreover, attackers can reuse tools and techniques across multiple targets, scaling their efforts efficiently. Defenders, on the other hand, must operate under uncertainty, constantly reacting to new threats, including unknown vulnerabilities such as zero-days. This asymmetry creates a persistent “defender’s dilemma,” where even well-funded and highly capable organizations remain exposed to compromise.

Splinterlands

That brings us to Splinterlands. Recently, Hive account@louis88 published a post regarding a vulnerability. I have read the post when it was published but didn't know the details, and certainly didn't know the monetary aspect of it. Also, recently, there have been a major hack at hive-engine with significant loss of funds. Suddenly I am made aware, that we have been asked a bounty fee. So I had to do further research and find out more about it.

What is a “White Hat Bounty” for Zero‑Day Vulnerabilities?

A white hat bounty (commonly called a bug bounty) is a legitimate financial reward paid to ethical hackers (white hats) for discovering and responsibly disclosing vulnerabilities—including zero‑day vulnerabilities—to the software vendor or platform owner.

• Key idea:

  • A zero‑day vulnerability = unknown, unpatched flaw
  • A white hat bounty = legal incentive to find and report it safely instead of exploiting or selling it illegally

How does it work?

1. A security researcher discovers a vulnerability (potentially a zero‑day)

2. They privately disclose it to the vendor (responsible disclosure)

• The vendor:

  • Verifies the issue

  • Fixes it

  • Pays a bounty based on severity and impact

  • The vulnerability may later be published after patching

Here comes the money part

Louis here is asking for a payment. As a Splinterlands SPS DAO treasurer (I am one of the 13), it now comes to the DAO to sign a check for Louis. That is when I was made aware of this situation yesterday by the DAO Manager Hive account@clayboyn. We have a discretionary nominal amount <$5000, which we can pay without running a proposal. These are for "minor DAO expenditure" for "DAO related business". This is where I fall into a bind. How do I define the following:

• How much money do we pay to Louis, meaning what is a fair price?
• How exactly do we pay him as per procedure?

Am I comfortable in just signing a transaction sending a dollar amount to Louis's wallet? Or is it better for Louis to write a proposal as ask for the funds?

What do the community thinks?