The initial bug bounty submission or exploit event
When the claim gets submitted
When the claim gets paid out
Only stakers who are still locked up during the third phase will have to pay out. Any staker who unstakes funds before the actual payout (because they are in an unstaking window) will not have to pay out.
Each covered protocol will have a policy that is targeted to be 50% or less of the total Sherlock staking pool. This ensures that any single payout event at any single protocol can cause a payout for a maximum of 50% of the staking pool. More than 50% of the staking pool can be used for a payout if multiple covered protocols experience covered payouts in a short timeframe.
However, if the size of the bug bounty or exploit payout is smaller than the total coverage amount at a protocol, the size of the payout will be a fraction of the maximum coverage for that protocol. Also, if a bug bounty payout or exploit becomes possible on multiple protocols due to a chain bug (i.e. a bug in Ethereum L1), then no more than 50% of the staking pool can be used to repay those similar events, even if individual protocols had policies that aggregate to a sum that is larger than 50% of the staking pool.