If the bug or issue is already known to the project prior to the submission of the report, then they can close the bug report without providing a reward to the whitehat. The project can prove prior knowledge by providing:
- Self-reports on Immunefi
- A reference to a previous bug report
- A GitHub pull request
- A Gitlab pull request
- A Github reported issue
- A Gitlab reported issue
- A Screenshot from Github that shows the known issue (the commit hash, the URL, the date of the pull request, the repository name, and the owner of the repository must be visible in the screenshot)
- An audit report
- A blog post (the publication date must be verifiable using either Google cache or the Wayback Machine)
- An email with dates that clearly states the vulnerability and its impacts (this should either be forwarded to firstname.lastname@example.org, or a PDF of the email should be attached in the bug thread)
This evidence must be provided in the dashboard when a project closes a report because of a known issue.
All bug reports that meet report requirements are first escalated to projects, so they can review them and decide whether they are a known issue for them. The project does not have SLAs for defining a known issue except for those mentioned here.
Article is closed for comments.