At times, you may find a bug that can cause multiple impacts across different severity levels. For example: a bug that has both high and critical severities due to causing both theft of unclaimed yield and governance manipulation.
Should I submit a bug with multiple impacts in one bug report?
Only submit a bug report with more than one impact if the impacts are all caused by a singular bug issue. If you find multiple impacts that are not caused by a singular bug issue, create a different bug report for each impact and each unique bug that causes that impact.
How do I specify multiple impacts in my bug report?
You can simply select multiple impacts on the bug submission form in the Immunefi Dashboard when you go to submit a bug.:
You can also add more impacts via “add custom impact” if it is not in the list, but you believe it is within the bug bounty program’s scope.
I found a bug that has multiple impacts and multiple severity levels. What “severity” level should I select on my bug report?
If you found a bug that has multiple impacts across different severity levels, select the highest severity level that is relevant to your bug report.
For example, if you’ve found a bug that causes medium, high, and critical impacts — select critical severity in the bug submission form. This is because the team must respond according to the highest severity/urgency impacts caused by the bug.
Are multiple impacts the same thing as finding the same bug on multiple assets?
No, they are not the same thing. A multiple-impact bug is a single bug that causes multiple problems (i.e. freezing of funds, theft of unclaimed yield, voting manipulation), but can be fixed in a single patch.
Finding a bug on multiple assets, regardless of the impact amount, is different, as it requires multiple fixes, not just one. For these kinds of bugs, you must submit a separate bug report for each asset that needs to be fixed.
Read here for more information on what to do with the same bug on multiple assets.
How is the payout/reward amount calculated in the case of bugs with multiple impacts?
In the case of multiple impacts across different severities (medium, high, critical), only the highest impact is taken into consideration and paid for (critical).
Remember that your number of payouts directly correlates to the amount of fixes required. If more than one fix is required, you are eligible to receive more than one payout. Each fix should also be a separate bug report.