Summary
Bug Bounty Programs (BBPs) are not static. Projects often want to update all sorts of things in their bug bounty programs, such as reward bounty amount, payout method, KYC requirement, assets in scope, impacts in scope, arbitrary text on the BBP page, etc.
General Rule
The general rule is that any open bug reports should be reviewed within the parameters of the bug bounty program at the time of the report’s submission. With that said, if a project has logged a program change request with Immunefi, regardless of publication status, those changes will take effect for any new bug reports that come through.
Fortunately, it is an extremely rare occurrence that whitehats submit bug reports to a bug bounty program that has not yet been updated to reflect the project’s change request.
What happens if a BBP is updated while you still have an open bug report?
The rules that apply to your report are those that were active at the time of your report. You can use something like the Wayback Machine or Google cache to retain a snapshot of the bug bounty program page at the time of your report’s submission.
The only exception is if the project requested a change to their bug bounty program before your report was submitted but it hadn’t been published yet. This rarely happens. When in doubt, you can request Immunefi to verify when the change request was made and if it was indeed before you submitted your report.
When I started work on a bug report, the reward amount was $10,000. But when I submitted it, it had been updated to $15,000. Which amount will apply to my report?
Your reward will correspond to the amount at the time of submission ($15,000). The same would apply if the amount at the time of submission was lower than the previous amount.
I submitted a bug report about a vulnerability which I believe was in scope at the time of submission. However, unknown to me, the project had submitted a change request to remove that impact from scope. Is my report still in scope?
Your report is unfortunately considered as out of scope, as the changes had been requested before your report was submitted.
However, please check this claim by requesting Immunefi to verify the claim that the changes were indeed requested before your report.
I submitted a bug report about a contract that is listed as an asset in scope. After my report was submitted, the project requested to remove the asset I targeted from the assets in scope of their BBP. Is my report still in scope?
Your report is still in scope, because the request came after your report.
I submitted a bug report that was accepted, but the project paid my reward in native tokens despite their BBP stating that payouts will be in ETH/USDC. Meanwhile, the project had decided internally to switch to native tokens. But this change has not been published to their BBP.
If this change hadn’t been requested before the time of your report submission, then the project is obligated to pay you according to the terms that were published.
If you do come across a situation where the payment token is not what you expected, request help from Immunefi in the bug report .
Comments
0 comments
Article is closed for comments.