When vulnerabilities are publicly disclosed, such as by public security advisories, CVEs, or otherwise, Immunefi considers these vulnerabilities temporarily out-of-scope in order to give projects time to respond.
Projects are always recommended to fix publicly disclosed vulnerabilities as soon as possible, and if a quick fix is not possible, then to self-report the issue on Immunefi.
Once the following timelines are over, the publicly disclosed vulnerabilities become in-scope once again and bug reports referencing them are to be rewarded as normal. If a project has not fixed a publicly disclosed vulnerability in the following timelines, then it’s assumed that the project is not aware of the impactful threat that the vulnerability is poses.
Critical & High severity vulnerabilities are out-of-scope for 30 days after the public vulnerability disclosure is made. These types of vulnerabilities pose a significant risk to the security of the system and require immediate attention to prevent potential attacks.
Medium severity vulnerabilities are out-of-scope for 60 days after the public vulnerability disclosure is made.
Low severity vulnerabilities are out-of-scope for 120 days after the public vulnerability disclosure is made.
If a whitehat submits a bug report that’s still in its temporary out-of-scope period, based on when the relevant public vulnerability disclosure was made, then this bug report will be closed without payment. Any further bug reports on the same vulnerability when the temporary out-of-scope period has ended may then be closed without payment as known issues
If a project intends to close a bug report as a “Known Issue”, the burden of proof is on the project to prove it was internally known. Immunefi does not consider citing the public vulnerability disclosure on its own as sufficient proof that the issue was internally known. However, Immunefi does consider a private disclosure of the vulnerability as sufficient proof that the issue was internally known if the private disclosure clearly states the vulnerability and its impacts.
Further info on how projects can close a bug report as a known issue is covered here: https://immunefisupport.zendesk.com/hc/en-us/articles/11762775894673-Self-reporting-Bugs-and-Closing-Reports-with-Known-Issues
Comments
0 comments
Article is closed for comments.