Our platform is built on the idea that both projects and whitehats can collaborate to mutually benefit one another. By utilizing their bug hunting expertise, whitehats can help projects secure millions of dollars worth of assets and, in return, projects share a bit of that wealth with whitehats to thank them for their time and effort.
However, as much as we try to build objective metrics into the bug bounty programs on our platform, there are sometimes gray areas that make it difficult for projects and whitehats to align on a payout. When this happens, it is best to initiate the mediation process by clicking the ‘Request help’ button.
It is appropriate to call for mediation in the following scenarios:
- Despite your best efforts to persuade and engage in dialogue, you and the whitehat are unable to agree on impact, severity, and/or reward level
- The whitehat tests on mainnet or public testnet
- The whitehat becomes threatening
- The whitehat attempts to negotiate with you outside of the Dashboard
- The whitehat engages in any rule-breaking behavior (see our rules)
You are in mediation, now what?
- What if we disagree with Immunefi’s assessment?
Immunefi’s assessment serves as a strong recommendation and not a final verdict. If you can provide a solid argument to show that the demonstrated vulnerability is not valid, we will review our analysis and update both parties. Every situation will be assessed on a case by case basis.
- What if we pay less than the amount recommended by Immunefi?
To reiterate, Immunefi’s assessment serves as a non-binding recommendation. If the project can provide valid justifications, the final reward amount may deviate from Immunefi’s initial proposal.
- The whitehat misunderstands our points, and the bug report chat doesn’t emphasize what’s most important. How do I make sure Immunefi knows the information necessary to make their assessment?
Our triagers are the best in the industry, and they will focus on the most critical points of the report. However, if we need any clarification, you will hear from us in the report submission thread.
- Can I see Immunefi’s mediation summary before it is shared with the whitehat?
No, the assessment will be shared with all participants at the same time.
- If I have additional information, can I post it after the mediation process has begun? Will it still be factored into Immunefi’s assessment?
Yes, you are encouraged to provide any information you deem important, even if it is after the mediation process has begun.
- It’s been a long time since I have received a message from Immunefi or the whitehat. How can I get a status update?
You can reach out to Immunefi directly in the related bug report thread, or you can address your concerns to our firstname.lastname@example.org address (just be sure to include the report number).
- Is the discussion over once the mediation assessment has been posted? What if it’s wrong and we disagree with it?
You can provide additional information related to the bug report after the assessment has been posted. If you have a solid argument that demonstrates why our assessment is wrong, we will review it.
- The whitehat is asking to perform an attack on one of our assets to prove his PoC. Is this allowed?
The whitehat is allowed to ask, and you are allowed to give or deny permission. You can read more about PoC rules and guidelines in this Help Center article. However, if a whitehat performs an attack without your explicit permission, it is a violation of our rules and you should immediately inform Immunefi.
Our approach to mediation
When you request help, Immunefi is brought in as an impartial 3rd party to analyze the validity of the report and suggest a payout based on the parameters of the your bug bounty program. When we engage in mediation, our goal is to create a win/win outcome for both parties while also ensuring a fair process. We do not automatically side with the whitehat or the project. Instead, we use the bug bounty program in conjunction with our rules to inform our analysis and recommendations.
And while we understand that some are nervous about bringing in Immunefi to mediate, this is always the best option when you cannot reach an agreement with a whitehat. Ultimately, we want both projects and whitehats to continue using our platform, so it is always in our best interest to ensure that the mediation process is even-handed and transparent.
Immunefi will always reach out to whoever requested help within 72 hours (not including weekends) of the request being made. We will also reach out to the other party when necessary to resolve a dispute.
While mediation is ongoing, we ask you to cease direct communication with the whitehat. Instead of responding to all participants, we ask both parties to reply directly to Immunefi in the report page with any concerns or additional information they think will be useful. This is done to avoid the possibility of miscommunication, and it guarantees that Immunefi is privy to all of the facts while we conduct our analysis of the report.
If the issue is caused by a disagreement on a technical issue, we will assign one of our triagers to perform a technical assessment. Our triagers are expert security analysts who have collectively helped to resolve thousands of reports. They are the best in the business, and they will provide an assessment as quickly as possible.
It is difficult to say exactly how long the mediation process will take, as some bugs are incredibly complex and require an in-depth analysis. With that said, our average mediation resolution times are as follows:
- Blockchain/DLT: 9 days
- Smart Contract: 10 days
- Web & App: 9 days
Once the assessment is complete, we will share our recommendation and the reasons for it with both parties. It is important to note that these recommendations are non-binding. Projects always have the final decision on whether or not they want to fix a bug, and they only have to provide a payout if they choose to make a fix. Additionally, projects are free to determine how much they will pay as long as it is within the acceptable range set by their bug bounty program.
However, this does not mean that a project can arbitrarily break the terms of their bug bounty program when evaluating bug reports. For example, if a bug is determined to be critical, the project cannot pay as if it were high severity. Immunefi reserves the right to remove projects that engage in this behavior from our platform.
Furthermore, if a project chooses to disregard our recommendation regarding validity, severity, and/or recommended minimum payout amount, then the whitehat may publicly disclose information about the report without restriction, assuming the bug is fixed. Please see our Responsible Publication Policy for more information.