Summary
When you're reviewing code out in the wild, you may sometimes come across a vulnerability on a project that does not have a self-hosted bug bounty or a bug bounty program on Immunefi. You may still want to report it, but how do you?
Does Immunefi provide disclosure assistance for whitehats if the project does not have a bug bounty program?
The answer is no, in most cases.
In general, Immunefi does not provide disclosure assistance or mediations outside of the Immunefi platform by default.
However, exceptions can sometimes be made for cases where:
- There is risk to one or more Immunefi clients
- There is a significant risk posed to an entire ecosystem
- There is a large amount of funds at direct risk of being stolen
If you feel that your case fits the bill for an exception, you can request help from the Immunefi team via email at support@immunefi.com, or any of the appropriate support channels.
I found a bug on a project that isn’t on Immunefi. How can I report it?
Firstly, if the project has an active bug bounty program, you are encouraged to submit the bug directly to the project. Their website or documentation will usually contain information on how to do so. Keep in mind that when submitting to a self-hosted bug bounty program, the project decides the rules, and there will be no external mediation should there be any disagreement regarding the bounty payout.
Secondly, if the project does not have an active bug bounty program, or their program seems inactive, consider if you are willing to submit the bug on a goodwill basis to the project. This means that you would submit it to them expecting no payment. It may not be ideal in terms of immediate reward, but many security researchers have gotten their start in this way to boost their reputation.
How can I ask a project to join Immunefi if I prefer to report the bug that way?
If you personally feel strongly that a project should be hosting a bug bounty program on Immunefi, reach out to an Immunefi team member on Discord for suggested outreach*.
Use this template: “Hi [Immunefi Team Member], I would like to suggest a project for outreach, as I’ve found a critical bug with direct funds at risk of being stolen. Please allow me to DM you the details in private.”
Then proceed to DM the team member with the details once you’re able to do so.
*Immunefi sometimes provides outreach or disclosure assistance for critical bugs on an exceptional, case-by-case basis. However, this is not by default, and hackers should by default report bugs to the respective projects if they are not hosted on Immunefi.
What can I do to reach a project that doesn’t have an active presence on social media or any clear means of reaching them?
If the project is not responsive to contact via normal means, you may wish to try less conventional methods, such as sending an on-chain message to the deployer address encrypted by the PublicKey of the deployer address.
The project failed to respond after all the ways I’ve tried to contact them. Can I report the vulnerability publicly to protect users?
It is generally good practice to give at least a week for the project to respond to attempts to reach it via various channels.
However, after a week of no response, and you are still determined to do so, you could make a conscientious public post notifying users that they should withdraw their funds. Do not make the vulnerability public before users have a chance to withdraw their funds. You will be relying on your security reputation for users to trust that there is a real vulnerability, so this is not for those who are relatively new to the security industry and haven’t yet built a reputation.
Do not abuse this trust. Alternatively, you can have another trusted security company or researcher review the vulnerability and make the announcement themselves.
The project failed to respond after all the ways I’ve tried to contact them. Can I whitehack the funds with the intention of returning them later?
No. Regardless of intention, whitehacking a project without their expressly written permission is an illegal act of theft, and you can be in danger of prosecution for doing so. Be sure to secure very clear written consent before performing any sort of whitehacking, and if you don’t have clear written consent, it is best to avoid taking action until you do.
Also, do not do any testing of the exploit on any public testnets or on mainnet, as this can be easily copied by another person with less noble intentions and used to drain the protocol completely.
Comments
0 comments
Article is closed for comments.