Summary
After submitting a bug report, your next action is to wait for the project's response. However, it shouldn’t take an unreasonably long amount of time for them to do so.
When projects join Immunefi, they commit to acknowledging, responding to, and resolving bug reports within a certain amount of time, which is determined by the severity of the bug report. This commitment is called an SLA or Service-Level Agreement.
We encourage you to request help from Immunefi in your bug report when projects fail to comply with SLAs or otherwise cause unreasonable delays in the resolution of bug reports. You can do this by clicking the floating ‘request help’ button in your bug report.
However, if Immunefi is already subscribed to the bug report, you can simply send a message directly to Immunefi in your bug report.
After first submitting my bug report, how long should I wait to receive a response from the project?
For a critical severity bug, a project should not take more than 48 hours to acknowledge your report. For a bug of high severity or below, a project is allowed up to 96 hours to acknowledge your report.
What should I do if a project’s slow response is about to break the SLA above for acknowledging a bug report?
You will need to respond in the bug report to the project, alerting them of this. You can use the following template to do so:
“Hi [Project Team],
It's been [mention the time elapsed] since I have submitted this bug report. As the agreed SLA for this report is [mention SLA time], I hope that the project team will be able to send an update soon.
If more time is required, please advise on what the possible timeframe would be to expect a [response/resolution] for this report.
Your prompt attention to this is much appreciated.
Sincerely,
[Your Name]”
What should I do if a project has broken the SLA above for acknowledging a bug report?
If a project’s response time exceeds the times listed in the SLA, use this template to respond:
“Hi [Project Team],
It's been [mention the time elapsed] since I have submitted this bug report, which is now past the agreed SLA of [mention SLA time]. To avoid further delay, I hope the project team can provide a definite time when you will [respond to/resolve] this report.
Your prompt attention to this is much appreciated.
In the meantime, I will request assistance from Immunefi to expedite this.
Sincerely,
[Your Name]”
Next, request help in your bug report and include the following in your message to Immunefi:
“Hi Immunefi Team,
This report has exceeded the agreed-upon SLA for a resolution. I am requesting assistance from Immunefi to resolve this, and I hope that the project team will be able to send an update without further delay.
Your assistance is much appreciated.
Sincerely,
[Your Name]”
A project is constantly delaying and not resolving my bug report. What should I do?
If it seems like a project is delaying resolution on a bug report, you can request help from Immunefi to resolve this. While help is coming, do remain professional and patient in your communications with the project. Always remember that verbally hostile communications may lead to a loss of payment.
As projects often have multiple tasks to keep track of, a courteous reminder every few days will be helpful to keep your report in their view. You can remind them once every 3 business days (Monday-Friday, non-public holidays).
Here are some examples of phrases you can use to ask for an update:
- "Hello again, just checking in on the status of the bug report."
- "Any updates on the issue I reported?"
- "I'd appreciate an update when you have a moment."
- "Hope everything's okay. Can you share the progress on this bug?"
- "Looking forward to hearing about the resolution."
- "Gentle reminder about the bug I reported. Any news?"
- "Is there anything I can assist with to move this forward?"
- "Haven't heard back in a while. Any developments on the bug?"
- "Just wanted to ensure my report didn't get lost. Any insights?"
- "Your feedback on the bug would be greatly appreciated."
DO NOT reuse the same phrase again and again, as it will look like spam.
DO NOT use aggressive language, make threats, or exploit the bug. If you do that, not only will you likely lose any chance of a reward, but you can get banned permanently from Immunefi.
A project is taking a long time to respond to or resolve my bug report. Can I disclose it in the meantime?
You can review the Responsible Publication Policy of the BBP to see if their rules allow for publication of the bug with or without consent.
In most cases where the project has not yet paid or closed the bug report, DON’T disclose the bug. And if there is ongoing mediation in your bug report DON’T disclose the bug report until it has been resolved.
However, in the rare case that a mediation assessment has been provided, and the project still hasn’t taken action to resolve it while the issue has been open for 90 days, you can request help from Immunefi to determine if you are able to go public with the information. It is your responsibility to read the project's bug bounty program page and Responsible Publication Policy to make sure you are compliant with the rules.
Additional Notes
Projects should pay researchers as soon as the disclosed bug has been confirmed, in order to resolve the report. Researchers DO NOT need to wait for the project to fix the bug before being paid.
If a project has fixed the bug and is indefinitely or intentionally delaying payment, request for help from Immunefi, as this is against our platform rules.
Use the request help feature on the bug report to do so.
Comments
0 comments
Article is closed for comments.