Signaling proposal: Create a osmosis bug bounty

Background\nOn the 8th June 2022 at 02:49:55 UTC a major bug in the osmosis AMM has forced the validators to halt the network at block 4713064. The issue was that withdrawing funds from liquidity pools would result in getting assets worth more than what you had in the pool. This bug could've potentially drained the assets in all liquidity pools accross osmosis by simply adding liquidity and directly removing it again. Fortunately, the damage was limited to only 5 million dollars due to the fast reaction of the validators. However, apart from the financial damage, the 3-day shutdown also cost a lot of trust, which has to be earned again in the long term.\n\n## Bug Bounty/Vulnerability Disclosure Policy\nTo prevent the malicious exploitation of such bugs I would like to propose two things:\n1. Creation of a Vulnerability Disclosure Policy\nThe goal of a Vulnerability Disclosure Policy is to encourage people to report bugs privately to the osmosis devs before making it public. Such policy would give information about how osmosis has to react to such bug reports and also give the reporting user the security to no being persecuted legally. I'll add some examples for such policy:\n\n https://hackerone.com/riot?type=team\n https://www.atlassian.com/trust/security/bug-fix-policy\n https://support.crowdin.com/vulnerability-policy/ \n\n2. Creation of a according but bounty program\nHaving a Vulnerability Disclosure Policy usually also means having a bug bounty program to incentivise the reporting of such bugs instead of abusing them. The bounty paired with the legal security should then hopefully be enough to ensure critical bugs can be fixed before being disclosed to the public.\nImmunefi is a platform where many crypto projects are running their bug bounty program (Polygon, MakeDAO, THORChain, PancakeSwap, etc.). Also Sifchain is having a bug bounty program there with rewards up to 2M$.\nThis Bug Bounty should be funded by the strategic Osmo reserve and the community pool. Furthermore, core devs and external and independent actors should be involved in the bug bounty dao/team.\n\n\n### Note\nA bug bounty program doesn't mean that reported bugs are swept under the carpet. A vulnerability disclosure policy also includes when and how bugs can/will be disclosed to the public.\n___\nYES -> You aggree that a bug bounty and a vulnerability disclosure should be created and carried out. The creation itself with the exact policy will have to pass governance again.\nNO -> You believe that's not neccessary and don't want a bug bounty and a vulnerability disclosure policy\nNO WITH VETO -> You believe such policy/bug bounty would harm the network and want to prevent that at all cost