Projects sometimes update their bug bounty programs (BBPs) to better identify the types of vulnerabilities and impacts that they would like to see addressed in bug reports. As a result, it is not uncommon for a projects BBP to change over time. With that said, this does not mean that projects can change their BBPs to avoid paying you when you have identified a valid and in scope bug. This would be a violation of our rules.
Bug reports should always be judged against the language of the bug bounty program at the time of submission.
The only exception to this rule is when a whitehat submits a bug report AFTER a project requests an update to their BBP, but BEFORE Immunefi has had the opportunity to implement the updates. In a scenario like this, the project can judge the report against the updated language of the BBP, regardless of publication status.