Our platform is built on the idea that both projects and whitehats can collaborate to mutually benefit one another. By utilizing their bug hunting expertise, whitehats can help projects secure millions of dollars worth of assets and, in return, projects share a bit of that wealth with whitehats to thank them for their time and effort.
However, as much as we try to build objective metrics into the bug bounty programs on our platform, there are sometimes gray areas that make it difficult for projects and whitehats to align on a payout. When this happens, it is best to initiate the mediation process by clicking the ‘Request help’ button.
It is appropriate to call for mediation in the following scenarios:
- Despite your best efforts to persuade and engage in dialogue, you and the project are unable to agree on impact, severity, and/or reward level
- The project is abusing the "no fix, no pay" rule by stealth fixing the bug without providing payment
- The project attempts to negotiate with you outside of the Dashboard
- The project closes the report without providing detailed information and/or evidence for why it should be closed
- The project claims that the bug is a known or duplicate issue without providing any evidence
- The project breaks SLAs regarding responsiveness and bug report resolution
- The project engages in any rule-breaking behavior (see our rules)
You are in mediation, now what?
What if the project rejects the mediation assessment, what do I do now & what happens now?
It is impossible to generalize such scenarios, as each mediation is unique in its own way. However, if the project provided technical evidence of why they deem the mediation assessment as invalid, we will review their claims and update both parties with our new analysis.
If the project technically misunderstands the bug, will Immunefi convince the project on my behalf?
Once the mediation is called in, the Immunefi team will gather as much information as possible to create an objective analysis of the bug. If we confirm that the vulnerability is indeed real, we will do our best to explain the attack and path and intricacies of the exploit to the project.
What if the project does not follow the primacy of impact or primacy of rules policy mentioned in their bug bounty program?
Both primacy of impact and primacy of rules policies are for edge case reports that don’t fit neatly into the project’s bug bounty program (read more about these policies in our FAQ). Because of this, reports that are affected by these policies require special attention from the Immunefi team. If you think that a project is disregarding their stated policy in relation to your report, we encourage you to share your concerns with us in the report submission thread. In most cases, projects will not violate their bug bounty program terms.
Can the project get away with rejecting Immunefi’s assessment?
Immunefi’s assessment serves as a strong recommendation and not a final verdict. If the project provides a solid argument to show that the demonstrated vulnerability is not valid, we will review our analysis and update both parties. Every situation will be assessed on a case by case basis.
What if the project pays less than the amount recommended by Immunefi?
To reiterate, Immunefi’s assessment serves as a non-binding recommendation. If the project can provide valid justifications, the final reward amount may deviate from Immunefi’s initial proposal.
The project misunderstands my points, and the bug report chat doesn’t emphasize what’s most important. How do I make sure Immunefi knows the information necessary to make their assessment?
Our triagers are the best in the industry, and they will focus on the most critical points of your finding. However, if we need any clarification, you will hear from us in the submission thread.
Can I see Immunefi’s mediation summary before it is shared with the project?
No, the assessment will be shared with all participants at the same time.
If I have additional information, or I make a better PoC, can I post it after the mediation process has begun? Will it still be factored into my bug report, or do I have to make a new report?
Yes, you are encouraged to provide any information you deem important, even if it is after the mediation process has begun. You don’t need to file a new report. All information related to a specific bug should be kept in one place.
It’s been a long time since I have received a message from Immunefi or the project. How can I get a status update to be sure that my case wasn’t forgotten?
You can reach out to Immunefi directly in the relevant bug report thread, or you can address your concerns to our support@immunefi.com address (just be sure to include your report number).
Is the discussion over once the mediation assessment has been posted? What if it’s wrong, and I disagree with it?
You can provide additional information related to the bug report after the assessment has been posted. If you have a solid argument that demonstrates why our assessment is wrong, we will review it.
I requested help on a report, and now I am unable to request help on a second unrelated report. What’s going on?
To prevent unnecessary mediations, we have implemented a cooldown period on help requests from new whitehats on Immunefi. This means that after requesting help, new whitehats will have to wait a set amount of time before they can request help again on another report. For more information, please see our How and When to Request Help or Mediation article.
Our approach to mediation
When you request help, Immunefi is brought in as an impartial 3rd party to analyze the validity of the report and suggest a payout based on the parameters of the project’s bug bounty program. When we engage in mediation, our goal is to create a win/win outcome for both parties while also ensuring a fair process. We do not automatically side with the whitehat or the project. Instead, we use the project’s bug bounty program in conjunction with our rules to inform our analysis and recommendations.
And while we understand that some are nervous about bringing in Immunefi to mediate, this is always the best option when you cannot reach an agreement with a project. Ultimately, we want both whitehats and projects to continue using our platform, so it is always in our best interest to ensure that the mediation process is even-handed and transparent.
Immunefi will always reach out to whoever requested help within 72 hours (not including weekends) of the request being made. We will also reach out to the other party when necessary to resolve a dispute.
While mediation is ongoing, we ask you to cease direct communication with the project. Instead of responding to all participants, we ask both parties to reply directly to Immunefi in the report page with any concerns or additional information they think will be useful. This is done to avoid the possibility of miscommunication, and it guarantees that Immunefi is privy to all of the facts while we conduct our analysis of the report.
If the issue is caused by a disagreement on a technical issue, we will assign one of our triagers to perform a technical assessment. Our triagers are expert security analysts who have collectively helped to resolve thousands of reports. They are the best in the business, and they will provide an assessment as quickly as possible.
It is difficult to say exactly how long the mediation process will take, as some bugs are incredibly complex and require an in-depth analysis. With that said, our average mediation resolution times are as follows:
- Blockchain/DLT: 9 days
- Smart Contract: 10 days
- Web & App: 9 days
Once the assessment is complete, we will share our recommendation and the reasons for it with both parties. It is important to note that these recommendations are non-binding. Projects always have the final decision on whether or not they want to fix a bug, and they only have to provide a payout if they choose to make a fix. Additionally, projects are free to determine how much they will pay as long as it is within the acceptable range set by their bug bounty program.
However, this does not mean that a project can arbitrarily break the terms of their bug bounty program when evaluating bug reports. For example, if a bug is determined to be critical, the project cannot pay as if it were high severity. Immunefi reserves the right to remove projects that engage in this behavior from our platform.
Furthermore, if a project chooses to disregard our recommendation regarding validity, severity, and/or recommended minimum payout amount, then you may publicly disclose information about the report without restriction, assuming the bug is fixed. Please see our Responsible Publication Policy for more information.
Comments
0 comments
Article is closed for comments.