Price model – Only pay for what I find
The per-finding cost structure of a security review is given by a base price that is tiered with respect to severity.
This base price, which will be presented in the quote, is defined as the maximum price to be paid for an identified vulnerability.
| Severity | Percentage of base price |
|---|---|
| Critical | 100% |
| High | 70% |
| Medium | 30% |
| Low | 10% |
| Non-Critical | 0%* |
* 5%, if non-critical findings are required to be included in the report instead of being discussed in a call. All other finings are included in the report by default.
What determines the base price?
The base price is mainly determined by the following aspects:
- Size and complexity of the codebase
- Use of external contracts / libraries
- Interactions with other protocols
- Criticality based on projected total value locked
What if you disagree with a finding or its severity assessment?
During the mitigation review, we can openly discuss such findings in order to find common ground.
A prime example for such a finding is “Centralization risk”, because as a security researcher it is my duty to point this out although some centralized aspects about your protocol might be intended. Therefore you won’t be charged in that case.
What if you prefer an upfront fixed price for the whole security review?
It is possible to opt for a traditional price model where I estimate the required amount of time in advance and multiply it with my hourly rate.
Vulnerability risk severity assessment
The severity of a bug/vulnerability is assessed based on its potential economical impact and likelihood of incident.
| Risk severity matrix | Impact | |||
|---|---|---|---|---|
| High | Medium | Low | ||
| Likelihood | High | Critical | High | Medium |
| Medium | High | Medium | Low | |
| Low | Medium | Low | Non-Critical | |