Summary
As a security researcher, you may be required to go through a 3rd party verified KYC (Know-Your-Customer) process for projects before they make payment. This can be for various reasons, such as complying with local laws regarding payments.
However, any KYC requirements should be clearly stated in the project’s BBP beforehand.
There are three levels of KYC requirements:
- Level 1: Provide your real name and address
- Level 2: Provide your real name, address, and tax information
- Level 3: Provide your real name, address, and government ID number
How do I know if a project requires KYC?
Project KYC requirements will always be clearly visible. Every bug bounty program page has a KYC box at the top of their bug bounty program. Here is an example bug bounty program page with KYC requirement clearly stated.
If the KYC box states that KYC is required, there will be a section in the bug bounty program further discussing the KYC level and the documents the whitehat must submit as part of the process.
How do I submit KYC information?
When your report is confirmed, you will receive an email with a link to Onfido for KYC verification. If you do not submit your KYC information for a program with a KYC requirement, you will be required to do so before you receive payment.
How is KYC information verified?
Your KYC information will be verified by a third-party provider called Onfido.
Is it a must for me to provide KYC information?
Only if the project requires it. KYC isn’t required by default, and many projects don’t require KYC.
My bug was already accepted. Will I lose my payout if I choose not to KYC?
If the project requires KYC and you choose not to complete it, they may deny your payment. For projects that require KYC, it can be a strict requirement for their company’s legal, accounting, or compliance purposes, and so it may be impossible for them to pay you unless you KYC.
Is it possible to make a career as a security researcher/whitehat without KYC-ing?
Yes, you definitely can! Many projects on Immunefi do not require KYC, so choosing to hunt only non-KYC projects is still a viable option if you are concerned about privacy or you have difficulty with KYC.
What kind of documents or information do I need to provide for KYC?
KYC requirements will vary based on the KYC level required by the project. KYC requirements may include email address, username, full name, address, company details, nationality, date of birth, and a tax form.
I’m not comfortable with the way the project is asking me to KYC. Can Immunefi help?
Yes. If the project asks for KYC requirements that are different from what is stated on their BBP, you can and should request help from Immunefi in your bug report. All KYC requirements should be submitted through the Immunefi platform.
What if a project updates their bug bounty program to require KYC after I’ve already submitted a bug?
Any changes to KYC requirements only apply to new bug reports submitted to the project, not to bug reports already submitted or to previously processed and paid reports.
Comments
0 comments
Article is closed for comments.