Usually, bugs are unique to a single project or smart contract, but on occasion, you may find the same bug on multiple projects and chains. In general, you can follow this guideline: one bug, one patch, one payout. So, if the same vulnerability is found in the assets of multiple different projects, you should file a new report for each.
Can I get paid twice or more for the same bug if I found it on different projects?
Yes, it is perfectly possible to get paid twice or more for the same bug that you find on different projects. However, the reward you would be eligible for may differ based on each BBP’s terms, including scope and reward amount.
Each project will have to confirm the bug, ensuring that it is not a duplicate or known issue for them. Keep in mind also that the amount of funds at risk may differ by project, and this will likely affect your payout amount.
Additionally, although rare in practice, some projects might also choose not to fix the bug and so would not have to provide a bug bounty payout.
While hunting, I found a bug that affects a project on multiple chains (e.g. ETH, Polygon, BSC, Arbitrum). Do I report each of them separately?
Yes. Generally, if the files or endpoint of a bug are different, then it is a distinct issue that needs its own fix. However, if the files or endpoint of a bug are the same, or if fixing a bug on one end automatically fixes the rest, then one bug report should suffice.
Remember that it does not make sense to have more than one bug report if one fix is enough to stop the impact.
I found a bug that affects multiple projects because they all forked the same buggy codebase. How should I report it?
Same as above. Regardless of how the bug was introduced, there should be at least one bug report for each project, or each additional fix that is needed.
I found a bug that affects multiple projects because of a shared dependency. How should I report it?
For example, you might find an issue with one liquidity pool that causes an issue with three separate projects because they all use the pool as an oracle price source.
Here’s how we look at it, based on the following scenarios:
- Is the bug only fixable from the source of dependency? — Then report it to the source project.
- Is the bug NOT fixable solely from the source, but instead requires changes or input from all affected projects? — Then report it to all of the affected projects.
Consider that for each individual project involved, a separate fix is required — one report, one fix, one payout.
So in scenario 2, you will need to submit a separate bug report for each project, and each one will need to be fixed, and each one must be paid.
I found a bug that affects multiple projects, but one or more of them does not have a BBP with Immunefi. How should I report it?
For projects that have a BBP with Immunefi, report it as usual in the Immunefi Dashboard.
But for projects that do not, you have two options:
- Contact the project directly — for projects not currently hosted on Immunefi, this is the best way to reach them.
- Consider if the project should be on Immunefi — if the project is a significant TVL contributor or a critical ecosystem player, and you feel strongly that they should be hosting a bug bounty program on Immunefi, reach out to an Immunefi team member on Discord for suggested outreach*.
Use this template: “Hi [Immunefi Team Member], I would like to suggest a project for outreach, as I’ve found a critical bug. Please allow me to DM you the details in private.”
Then proceed to DM the team member with the details once you’re able to do so.
*Immunefi sometimes provides disclosure assistance for critical bugs on an exceptional, case-by-case basis. However, this is not by default, and hackers should by default report bugs to the respective projects if they are not hosted on Immunefi.
When reporting a bug to non-Immunefi projects, the bounty terms are undefined, and the outcome can be unpredictable, as they do not have a formal engagement with Immunefi.
In the past, even non-Immunefi projects affected by a bug have paid the researcher a substantial reward amount ($250k in this case) on top of the bounty paid by an Immunefi project ($1M) for the same bug finding.
So in general, reporting to all parties affected is not only the responsible thing to do, but may even be the best option in terms of maximizing your payout.
Immunefi firmly believes that all projects that benefit from a whitehat’s finding should have a moral obligation to pay security researcher(s) for the work that they’ve done in protecting their protocol from harm, even if they did not host a BBP prior to the finding.