Immunefi now allows projects to select specific roles for their users. These roles are selected by the project admin and they have differing permissions. This allows projects to limit access to sensitive information by ensuring that only those with the correct user role have access to a given report.
There are four roles that a project user can have: admin, triager, member, and finance.
Admin users have access to all reports submitted to the bug bounty program, and they are able to utilize the full set of report actions. Admins are the only users that can edit the program settings, add new users, and change user roles.
Triager users are people that the admin has invited to the program to help process bug reports. For this reason, triager users have all of the same permissions as admins when it comes to report access and actions, but they do not have control over the program settings and they cannot add users or change their roles. If your program has the Managed Triaging service, triager users can also self-escalate reports with the 'Immunefi Review' status.
Member users are people that the admin has invited to the program, but their access to reports and report actions is limited. They are only subscribed to reports when they are added by an admin or a triager, and they cannot add users, change user roles, or edit program settings.
Finance users are people that the admin has invited to the program to help with the report payment, and they have all of the permissions necessary for that role. However, the information they can view is limited. They can be subscribed to reports in the ‘Paid’ and ‘Closed’ status, but they are only automatically subscribed when a report is moved to the ‘Confirmed’ status. Furthermore, finance users are limited in regards to report actions, and they cannot add users, change user roles, or edit program settings.
For a full list of actions and permissions available to each user role, see the chart below.
How to Change User Roles
User roles can be changed directly by the project admin in the project settings. To change a user’s role, the admin must click the ‘Users’ tab. Then they must click the three vertical dots to the right of the user whose role they wish to change. This will open a dropdown menu with the user role options. Select the desired role and click confirm in the confirmation modal to change the user’s role.
Only project admins can change a user’s role, and they are unable to edit their own user role. Whenever a project admin is added, removed, or changed to another role, all admin users will receive an email notifying them of the change.
Actions and Permissions for Each User Role
Action | Admin | Triager | Member | Finance |
Users with this role will be auto subscribed to all escalated reports | ✅ | ✅ | ❌ | ❌ |
Users with this role will be auto subscribed to all confirmed reports | ✅ | ✅ | ❌ | ✅ |
Users with this role are able to view reports before they are subscribed to them | ✅ | ❌ | ❌ | ❌ |
Ability to submit a report to the bug bounty program | ✅ | ✅ | ✅ | ✅ |
Ability to view report ID and type in reports they are subscribed to | ✅ | ✅ | ✅ | ✅ |
Ability to view comments made prior to the user being subscribed | ✅ | ✅ | ✅ | ❌ |
Ability to view comments made after the user is subscribed | ✅ | ✅ | ✅ | ✅ |
Ability to view report activity | ✅ | ✅ | ✅ | ❌ |
Ability to view report summary | ✅ | ✅ | ✅ | ❌ |
Ability to view PoC when included | ✅ | ✅ | ✅ | ❌ |
Ability to view report participants | ✅ | ✅ | ✅ | ✅ |
Ability to view attachments added before the user is subscribed | ✅ | ✅ | ✅ | ❌ |
Ability to view attachments added after the user is subscribed | ✅ | ✅ | ✅ | ✅ |
Ability to view potential duplicates | ✅ | ✅ | ✅ | ❌ |
Ability to view feedback | ✅ | ✅ | ✅ | ✅ |
Ability to view whitehat wallet address | ✅ | ✅ | ✅ | ✅ |
Ability to view tags | ✅ | ✅ | ✅ | ✅ |
Ability to change report status | ✅ | ✅ | ✅ | ❌ |
Ability to edit report severity | ✅ | ✅ | ✅ | ❌ |
Ability to subscribe users to reports | ✅ | ✅ | ✅ | ❌ |
Ability to post comments | ✅ | ✅ | ✅ | ✅ |
Ability to upload attachments | ✅ | ✅ | ✅ | ✅ |
Ability to leave feedback | ✅ | ✅ | ❌ | ❌ |
Ability to request help | ✅ | ✅ | ✅ | ✅ |
Ability to reopen a report | ✅ | ✅ | ✅ | ❌ |
Ability to add users to the program | ✅ | ❌ | ❌ | ❌ |
Ability to change user roles | ✅ | ❌ | ❌ | ❌ |
Ability to change program settings (alerts, 2FA, etc. | ✅ | ❌ | ❌ | ❌ |
Ability to view vault information on the right side of the report page | ✅ | ✅ | ❌ | ✅ |
Ability to view new timeline updates related to the reward phase | ✅ | ✅ | ❌ | ✅ |
Can view and take actions on Actions > Payout | ✅ | ❌ | ❌ | ✅ |
Comments
0 comments
Article is closed for comments.