As a whitehat, you hold a duty to act professionally and responsibly towards other users of the Immunefi platform, whether they be other whitehats, projects, Immunefi staff members, or others.
It is important to remember these rules while bug hunting, to avoid causing real harm to a protocol or its users. Following them is also crucial to maintaining trust between projects and whitehats on Immunefi.
Similarly, projects also have to obey rules to ensure that they compensate hackers fairly, respond in a timely manner, and act in good faith.
Violation of these rules can result in a temporary suspension or permanent ban from the Immunefi platform at the sole discretion of the Immunefi team.
For whitehats, this can mean forfeiture of rewards and loss of access to bug reports.
For projects, this may also result in removal from the Immunefi platform, and the publication of this removal in the case of SLA breakage.
These rules can be changed at any time, and the updated set of rules can always be found on the Immunefi website: https://immunefi.com/rules/
We will go over the rules for Whitehats in more detail here.
Prohibited Behavior for Whitehats (collateral damage)
- Any testing with mainnet or public testnet contracts.
- Whitehacking with intent to save user or protocol funds without the express written consent of the project in the Immunefi Dashboard.
Prohibited Behavior for Whitehats (illegal activities)
- Attempting phishing or other social engineering attacks against Immunefi and/or projects on Immunefi
- Threats of violence
- Threatening to publish or publishing people’s personal information without their consent
- Extortion/blackmail or threats of extortion/blackmail
- Posting illegal content
Prohibited Behavior for Whitehats (platform rules)
- Routing around Immunefi and communicating with a project directly - negotiations outside of the Immunefi dashboard are considered invalid
- Disputing a bug report in the dashboard once it has been paid or marked as closed, with the exception of requesting mediation
- Submitting a bug report in a language other than English
- Submitting a bug report with no PoC or an incomplete PoC if it is required by the project's bug bounty program - see this article for Immunefi Proof of Concept (PoC) rules
- Submitting fixes to a project's repository without their express consent
Prohibited Behavior for Whitehats (acting in bad faith)
- Misrepresenting assets in scope: claiming that a bug report impacts/targets an asset in scope when it does not
- Misrepresenting severity: claiming that a bug report is critical when it clearly is not
- Exploiting/attacking or threatening to exploit/attack a project on Immunefi - see this article for Immunefi Proof of Concept (PoC) rules
- Publicly disclosing a bug report--or even the existence of a bug report for a specific project--before it has been fixed and paid
- Failing to abide by the Responsible Publication Policy categories set by projects, which determines what whitehats are allowed to publish about their bug reports
- Harassment, i.e., excessive, abusive, or bad faith communication
- Unauthorized disclosure or access of sensitive information beyond what is necessary to submit the report
Prohibited Behavior for Whitehats (low effort/low quality/spam)
- Automated testing of services that generates significant amounts of traffic
- 'Beg bounty' behavior, i.e. begging for a bounty reward that is not owed to the whitehat based on the terms of the bug bounty program
- Advertising or promotion of services
- Reporting a bug that has already been publicly disclosed
- Creating multiple accounts on the Immunefi platform
- Mediation request abuse
- Placeholder bug submissions, i.e., bugs that have a vague title, very few details, and no reproducible steps
- Submitting a bug report that is not substantially your own (co-submitting with another hacker with their consent is permitted)
- Submitting spam/very low-quality bug reports and submitting information through our platform that is not a bug report
- Submitting AI-generated/automated scanner bug reports
Prohibited Behavior for Whitehats (unprofessional behavior)
- Attacks based on personal characteristics
- Impersonation of other whitehats
- Obscene or extremely offensive usernames
- Requesting gas fees from Immunefi or projects
- Submitting bugs via email or any channel other than the Immunefi platform
- Promoting any of the behavior listed above