PANews reported on May 15th that, according to the official governance page, Aave Labs has proposed reorganizing the Aave DAO's bug bounty framework into multiple subsystem-specific programs, each with its own scope, severity criteria, reward framework, and operating platform. The reorganized bounty coverage will be allocated as follows: Core Aave V3, Core Aave V2, GHO, and non-liquidity protocol infrastructure will use Immunefi; Aave V4 and Aave App Stack will use Sherlock; and Aave V3 on Aptos will use Cantina. The proposal aims to better align bounty incentives with the actual risk profile of each subsystem, simplify the operational review process, and maintain flexibility before evaluating platform performance.

Regarding rewards, the highest rewards for the most critical "critical" level vulnerabilities are: Core Aave V3 increased from $1 million to $5 million, Aave V4 increased from $500,000 to $2.5 million, Aave V3 on Aptos increased from $500,000 to $1 million, and Aave App Stack added a maximum reward of $100,000.