As a security researcher, you may be required to go through a KYC (Know-Your-Customer) process for projects before they make payment. This can be for various reasons, such as complying with local laws regarding payments.
However, any KYC requirements should be clearly stated in the project’s BBP beforehand and should be reasonably attainable without causing excessive inconvenience or leading to an undue exposure of privacy. For example, asking for a driver’s license or photo ID is fairly conventional and reasonable, but asking for photos of one’s home and family members would be a bizarre and invasive request.
How do I know if a project requires KYC?
Project KYC requirements will always be clearly visible. Every bug bounty program page has a KYC box at the top of their bug bounty program. Here is an example bug bounty program page with KYC requirement clearly stated.
If the KYC box states that KYC is required, there will be a section in the bug bounty program further discussing these details and which documents the whitehat must submit as part of the process.
Is it a must for me to provide KYC information?
Only if the project requires it. KYC isn’t required by default, and the vast majority of projects don’t require KYC. However, a few projects do.
My bug was already accepted. Will I lose my payout if I choose not to KYC?
If the project requires KYC and you choose not to complete it, they may deny your payment. For projects that require KYC, it can be a strict requirement for their company’s legal, accounting, or compliance purposes, and so it may be impossible for them to pay you unless you KYC.
Is it possible to make a career as a security researcher/whitehat without KYC-ing?
Yes, you definitely can! The majority of projects on Immunefi do not require KYC. And the bounty amounts can even be as large as $1M+, so choosing to hunt only non-KYC projects is still a viable option if you are concerned about privacy or have difficulty with KYC.
What kind of documents or information do I need to provide for KYC?
KYC requirements are not currently standardized in the crypto space. With that said, the usual requirement is for a national ID photo and a scan of a utility bill to show proof of residency. In addition, they may request an address, phone number, and a legal name or a company name for invoicing purposes.
Does Immunefi mediate or handle the KYC process between the project and me?
No. KYC is handled directly between the project and yourself. Immunefi is not involved in the KYC process, as the bounty reward payment comes from the project directly.
How will I submit my documents for KYC? Will it be secure?
Projects can ask for details to be submitted on the Immunefi Bugs Dashboard. Some projects may also have their own web portal or KYC service provider to assist with the process.
Although Immunefi is not in a position to ascertain or make representations about the security of these third-party websites and tools, it is generally safe to KYC, especially when using a known provider of eKYC services, such as Onfido, ComplyAdvantage, etc.
These platforms themselves are required to adhere to compliance requirements of their host jurisdictions, so if you are extra cautious about privacy, you can review the data privacy requirements and regulations in the countries they are based in.
I’m not comfortable with the way the project is asking me to KYC. Can Immunefi help?
Yes. If the KYC requirements given by the project are different from what is stated on their BBP, or are unnecessarily invasive or impractical, you can and should request help from Immunefi in your bug report.
What if a project updates their bug bounty program to require KYC after I’ve already submitted a bug?
Any changes to KYC requirements only apply to new bug reports submitted to the project, not to bug reports already submitted or to previously processed and paid reports.