I am very happy to see this RFC, hopefully this will encourage white hats to join our ranks. I want to outline a few items for those who might not be familiar.
This should probably fill any gaps moving forward so all can participate in the discussion.
There seems to be a lot to learn from the existing bug bounty created by yEarn. While our needs and resources are not quite the same the overall structure looks to be a good model especially regarding criticality of the bugs. I think there is an opportunity to use the same leveling, perhaps rewording some of the descriptions or tweaking the delineation slightly (i.e. cost prohibitive attacks maybe factoring in) although it may be better to stick with straight theory given we do not know an attackers resources.
As for an allocation on the bounty our treasury does not seem to be adequate to support what yEarn currently offers. I would propose creating a buffer for the bounty within the treasury to ensure funds are always on hand for such an issue. A total bug bounty of $200k (40% of yEarn) would be roughly 1/3 of our current treasury. This can be a starting point for discussion on what the allocation to this fund may be.
Given the payouts defined in the yEarn bounty document this should be sufficient to cover most issues that arise - unless the team anticipates otherwise.
Above is the total bounties supported by a $200k fund for bounties which I think is very reasonable and may even be too high. As we have seen though security is a serious priority with recent incidents and we want to properly incentivize actors to report bugs rather than exploit them.