Projects, like whitehats, are required to maintain professional and ethical conduct and must follow Immunefi’s rules in order to remain in good standing on the platform.
Among other rules, projects have a responsibility to compensate whitehats fairly, respond to bug reports in a timely manner, and act in good faith.
Using this document:
In the next section, we have a quick reference guide in Q&A format that you can check for specific situations that may apply to you.
Below that, we have a list of prohibited behaviors for projects. If you spot any of this behavior, you should request mediation in your bug report.
We strongly encourage you to view the other party’s actions and communications as charitably as possible. However, we understand that sometimes the other party is genuinely failing to respect the rules and act ethically.
If you believe a whitehat or project is breaking these rules in relation to a bug report, please directly message Immunefi in the bug report submission thread. We will assess the situation and make a determination on how to proceed from there.
Quick Reference Guide:
As a whitehat, I reported a bug, but feel that something is wrong and suspect that the project is breaking a rule. What should I do?
You are in the right place for advice. Read on to see which of the following situations seem to describe what you are facing. Ultimately, if you cannot find which specific rule is being broken but still feel that something is wrong, you can still request help from Immunefi by clicking the ‘request help’ button in your bug report and explain your situation.
The project asked me to communicate via email or messaging, outside of the Immunefi platform.
This is a violation of a rule that requires projects to communicate and negotiate with whitehats only on the Immunefi platform itself. You should inform the project that you prefer to keep communications on Immunefi and if the project persists, then request help in your bug report, and highlight this issue to the Immunefi team.
The project closed my report without paying, but then later fixed the same bug that I had reported.
This is also a violation of the rules. You should immediately request mediation in your bug report, and highlight this issue to the Immunefi team. Provide the Immunefi team with evidence of the fix and an explanation of how it fixes the bug you submitted.
The project is taking very long to respond to my bug report.
Immunefi has Service Level Agreements (SLAs) with projects. This is the length of time that the project agreed to acknowledge, respond to, and resolve bug reports within. Generally, a project should acknowledge a Critical severity report within 48 hours, and up to 96 hours for a non-critical severity report.
A Critical or High severity report should not take more than 21 days to resolve. Likewise, a Low or Medium severity report should not take more than 14 days to resolve.
When a project has broken any of these SLA timelines, you can request Immunefi’s support directly in your bug report to get the project to respond.
My problem isn’t listed here.
If your situation doesn’t fall into any of the above scenarios, but you still feel there is some wrongdoing, ask in our Discord, submit a support request here, or you can still request mediation from Immunefi with an explanation of your situation.
Check the list of prohibited behaviors for projects below.
List of Prohibited Behavior for Projects
Violation of these rules can result in a temporary suspension or permanent ban from the Immunefi platform at the sole discretion of the Immunefi team.
For projects, this may also result in removal from the Immunefi platform, and the publication of this removal in the case of SLA breakage.
These rules can be changed at any time, and the updated set of rules can always be found on the Immunefi website: https://immunefi.com/rules/
- Routing around Immunefi and communicating with a whitehat directly - negotiations outside of the Immunefi dashboard are considered invalid
- Paying whitehats who submit bug reports via Immunefi outside of Immunefi
- Soliciting whitehats on Immunefi for commercial projects or private bug bounty programs
- Mediation request abuse
- Breaking SLAs regarding responsiveness and bug report resolution
- Publicly disclosing a bug report before you have both fixed the issue and paid the whitehat
- Claiming a bug report is a known or duplicate issue without clear evidence
- Abusing the "no fix, no pay" rule by stealth fixing the bug later without providing full payment to the whitehat
- Bad faith communication
- Refusing to provide whitehats or Immunefi with necessary information about their project for invoicing purposes if that information is available
Low Value Behavior
- Attacks based on personal characteristics
- Closing a report without providing detailed information and/or evidence as to why it should be closed
- Promoting any of the behavior listed above
Please ensure that you read and become familiar with the SLAs described here.