Summary
If the bug bounty page you were viewing is no longer available, do not panic or assume that the project is a bad-faith actor.
Pausing for Updating BBP
In most cases, the project has requested a temporary pause to update assets, impacts, rewards, or general terms. Once those changes have been processed, the project is then unpaused, and the bounty page is live again.
Forcibly Paused for Not Meeting Obligations
In other cases, however, Immunefi will forcibly pause a project if they do not meet their SLAs for responding to bug reports, which are set when a project signs up on Immunefi. Projects are only unpaused when they meet their SLA or other obligations, such as acknowledging or resolving a report.
In worst-case scenarios, if a project continually underpays, fails to pay whitehats for valid reports, or refuses to meet their SLA obligations, they are fully removed from the Immunefi platform. If a project wants to rejoin Immunefi after they have been fully removed, they must go through a re-onboarding process and pay out any previously outstanding bug reports.
All information on pauses and removals (and unpauses and re-onboardings) is now available in the #bbp-updates channel on Immunefi’s Discord.
I was on a project’s BBP, but when I looked for it later, I couldn’t find or view it for some reason. Why?
Bug bounty programs on Immunefi are sometimes “paused” for various reasons, as mentioned above, including: to make updates to the program, to make updates to their code, due to an ongoing hack, etc. Generally, most programs routinely paused in this manner are still maintaining Immunefi SLAs for submitted reports, and will try to get back to you within the set timeframe.
Are pauses always a voluntary decision by the project?
Not all pauses are voluntary. Some of these pauses are initiated by Immunefi due to: breach of Immunefi SLAs, project misbehavior such as refusing to pay out a valid and in-scope bug that the project has fixed, or mistakes in BBPs requiring immediate correction.
Immunefi will not allow a misbehaving project to continue to receive potentially valid reports until it has resolved any existing issues (unresponsiveness, unpaid reports, etc.)
Can a project remove its BBP from Immunefi on its own?
No. Projects do not have the ability to self-remove their BBP without first making a request through Immunefi.
If I made a bug submission and the protocol’s BBP went on pause after I submitted it, did I just lose my finding?
No. The bug report will be received and evaluated based on the state of the BBP at the time of submission. That being said, if a project placed a formal request to modify their BBP before your report was submitted, the report will be evaluated against the newest terms regardless of publication. Still, actual occurrences of this happening before the new terms are visible on the project’s BBP page are rare.
However, if the pause was due to the project misbehaving, which resulted in a forcible removal from the platform, there is a chance that the project might remain paused for an indefinite period or be permanently removed. In those cases, your bug report may remain unresolved or unpaid unless they decide to re-onboard with Immunefi, in which case the project would have to reward your bug report as normal.
What is my best course of action after a project I am hunting on becomes paused?
If you have already submitted a bug report, you may message Immunefi directly in the bug report itself. If you have not received a response from Immunefi in your bug report, contact support through our Discord (#support-requests channel) to seek help in determining whether a project will still respond within the SLA timeframe, or will take longer to respond (due to responding to an ongoing hack, updating assets, or being forcibly removed, etc.).
If you have found a bug in an already-paused program, it may be wise to wait until after the program becomes unpaused and to check the updated terms of the BBP before submitting.
Comments
0 comments
Article is closed for comments.