Vaults System Overview
The new Vaults System has been designed to increase transparency between projects and whitehats, as well as to guarantee the security and swift delivery of payments.
Now, projects can deposit and withdraw funds using their secure vault on the Immunefi platform. This vault is visible to whitehats, which means that you are able to see how much money the project has set aside for potential bug bounty reward payments.
Submitting a Bug Report to a Project with a Vault
When you are on the Explore Bounties page, you will see a column labeled ‘Vault TVL’ under which some projects will have a USD amount listed. This represents the total funds that the project has in their vault.
The process for submitting a report to a project with a vault is similar to that of submitting to any other project. However, as soon as you select a program with a vault to submit to, you will see a vault window that displays the funds currently available, the vault address, the 30 day average funds availability, and the asset types.
Once you have submitted the report, the vault information will be visible on the right side of the report page.
Re-verifying a Wallet Address
After your report has been escalated to the project, you will be asked to re-verify your wallet address in the report page. We have you do this to ensure that any potential payment for the bug report goes to you and not to someone else because of a mistake.
If you do not verify your wallet address at this point, the project will be unable to pay you a reward.
There are two ways to verify your wallet address:
- The first is to select the ‘Sign a message’ option. We recommend that you choose this method because it is a cryptographic method for proving your ownership of the wallet, and it is not susceptible to user error.
- The second method for verifying your wallet address is to type it in manually. We do not recommend this method because it could result in your payment going to someone else’s wallet due to a single typo. If this happens, there is nothing we can do to help you recover the funds.
Payment Rewards
Once the project has determined that your report is valid and in scope of the bug bounty program, they will proceed to payment. However, they can only begin the payment process after you have re-verified your wallet address on the report page.
Once the project has processed the payment, it will be automatically added to your account from the project’s vault. The report will then be changed to the ‘Paid’ status.
Vaults FAQ
What's the purpose of the Vaults System?
The purpose of the Vaults System is:
- To allow projects to demonstrate to whitehats via the Immunefi UI that they have funds specifically dedicated towards paying bug bounty rewards. This will create trust with whitehats to encourage more top-tier bug reports.
- To allow projects to easily and quickly send on-chain payments to whitehats from their Vault.
Can I change the wallet address after I have verified it?
Yes, but only if the project has not yet started to process the payment. Once the payment process has begun, it is too late to change the wallet address.
Can I use a multisig to verify my wallet?
No, this feature is not yet available. However, you can use the “Add wallet manually” feature.
When can I verify my wallet address?
You can verify it as soon as the report is escalated to the project.
Does Immunefi plan to include trust assurances in the Vaults System?
The Vaults System is a major step towards developing the ultimate bug bounty platform with increased trust assurances so that when you submit a valid and in scope report, you’ll be paid. Our goal is to continue releasing new features piece by piece to achieve that goal.
Am I able to filter Bug Bounty Programs on the Explore Bounties page to see which projects have vaults?
Yes, you can filter out projects that do not have vaults. Furthermore, you can see the total USD value of assets stored within the project’s vault under the ‘Vault TVL’ column.
Comments
0 comments
Article is closed for comments.