When a bug bounty program is paused, whitehats sometimes presume bad intent and take to social media to voice their complaints. This can lead to bad publicity for a project, which is unfair because BBP pauses are often done for innocuous reasons and for short periods of time.
To prevent potential damage from runaway whitehat speculation, we now announce when and why programs are paused (or removed) to our whitehat community on Discord in the channel #bbp-updates. We also announce when a program has been unpaused so that whitehats know that they can resume hunting on that program.
By making the process for pauses and removals more transparent, we foster trust with our whitehat community which encourages them to keep submitting reports.
Why are bug bounty programs paused?
Bug bounty programs can be paused by request from the project, or when they are required to by Immunefi. Below is a list of reasons why a program might be paused.
Project requested pauses-
- Project has requested updates to their bug bounty program
- Project is updating their code
- Project has a report backlog that needs to be resolved
- Project has ceased operations or is low on funds
- Project no longer wishes to have an active program on Immunefi
- Project is dealing with an ongoing hack*
*Note: We do not announce when a bug bounty program is paused due to an ongoing hack. However, if the project wishes to keep their program paused after a hack is over, we will announce the pause.
Immunefi forced pauses-
- Project is in breach of Immunefi SLAs
- Immunefi is implementing an emergency bug bounty program update
- Project fixed an in-scope bug without paying
- Project refused to pay an in-scope bug at an appropriate rate (as determined by the bug bounty program)
- Project has been removed from the platform for repeated violations of our rules and SLAs
- Project fails to remedy the reason why they were paused.
How does Immunefi decide when to pause a program?
Program pauses are often done at the request of the project, but we do pause programs when projects violate our rules or break SLAs. With that said, the decision to forcibly pause a program is not one that we make lightly.
We understand that the rule/SLA violations are often a result of miscommunication or extenuating circumstances, so we make every effort to touch base with projects prior to implementing and announcing a pause. We also provide opportunities for projects to rectify issues before we take any action.
Forced pauses are only used as a last resort once all other options have been exhausted.
How does Immunefi decide when to remove a program?
A project is removed from Immunefi when they do not remedy the original reason why they were forcibly paused, which may include breach of SLAs, failure to pay a bug report at the appropriate rate, etc.
When a project remedies the reason for being paused, they are simply unpaused, and the unpause is announced on Discord.
However, if a project is formally removed from Immunefi (as opposed to just paused), they will only be able to rejoin Immunefi if they go through re-onboarding. As with unpausing, they must also resolve every bug report that was previously submitted to them.
Removals are only used as a last resort once all other options have been exhausted.
How do we request a pause for our program?
To request a pause for your program, please contact our Customer Experience team and provide a brief explanation for your pause request. You can reach us via Telegram, Zendesk, or email.
We will follow up with you to confirm the request prior to implementing and announcing it.
What happens to reports that are submitted prior to a pause?
You are responsible for resolving all reports that were submitted prior to your program being paused. In some cases, we may require you to resolve all outstanding reports before we unpause your bug bounty program.