Summary
Here's the situation: You've reported a bug on Immunefi and you would like to request help, possibly due to the project being unresponsive, having a disagreement about the reward, decision, report resolution, or something else.
As of Dec 2023, mediation requests are subject to a cooldown period of at least 24 hours.
Who does it apply to?
Mediation request limitations apply to whitehats without any paid reports. It does not apply to whitehats with more than one paid report.
How does it work?
After you've requested mediation once, you won't be able to request mediation of the same type again on any report, including the one you've requested on, until the cooldown period has expired.
What is the cooldown time?
Cooldowns start at 24 hours and can get longer if unsuccessful requests are made repeatedly.
Your cooldowns can get longer than 24 hours, if —
You try to request a new mediation request when your previous mediation request was not answered/unsuccessful. This makes it important to only make mediation requests when you have strong reasoning/evidence/integrity backing your claims.
Table of cooldown timers by requests made:
Any previous requests?* | Cooldown length |
None | 24h |
1 | 7d |
2 | 15d |
3 | 30d |
4 | 60d |
*if your previous mediation request was successful (e.g. the project agreed on payment, or confirmed a closed bug), it won't be counted in this total.
Is there a limit to the amount of mediations you can request at a time?
Yes. For each type of mediation request, you will have a separate cooldown timer. This means the maximum you can request at any one time is 4.
When will the cooldown reset?
It will reset after the timer has counted down to 0, or once your report has been confirmed or paid by the project.
How can you resolve a bug report situation without using mediation?
Project is unresponsive: Follow this guide — (https://immunefisupport.zendesk.com/hc/en-us/articles/18327829115921-What-to-do-when-a-project-is-not-responding-to-your-bug-report)
I disagree with the resolution: If the report is still active and you can still add comments to it, you can still attempt to win the project over. Ask more experienced whitehats in our Discord community to hear what they've done in past disputes, and how they resolved it.
I disagree with the payment decision: This highly depends on the language used in the project's bug bounty program. Sometimes projects may go below the minimums shown, or offer payment that differs from what is advertised on the BBP. In those cases, do provide objective evidence with screenshots, links, with waybackmachine if necessary, so that you can back your claim and get a fair payment.
If the disagreement is subjective (e.g. I think it should be worth $1500, but the project only wants to pay $600), mediation might be necessary, but as much as possible you should still use reasoning and evidence to the best of your ability.
Don't rely on emotional language and certainly do not make threats (you will lose your payout altogether, and get banned!).
You can also talk to other whitehats for advice, and adjust your tone to be more persuasive and logical.
e.g. emotional approach: "This is ridiculous. Obviously it is worth $1500, you are just trying to scam me out of a fair payment! I will tell everyone about this. Scammers!"
e.g. persuasive and logical approach: "Thanks for the offer, project team. However, based on my experience and research, the common range for bugs of that type would fall between $1000-$1800. [provide evidence for your claim as much as necessary, for example, links to past bugfixes, public disclosures that mention the bounty paid, or reference the funds at risk proven by your PoC]. I would be willing to accept an offer of $1500 which is within this range.
If the project is still being unreasonable after this, do request mediation.
Other: As this can cover a variety of situations, the best advice is the same as the above, which is to talk to other more experienced whitehats, use logical persuasion instead of emotion, and provide evidence to back your claims, as much as possible.
Comments
0 comments
Article is closed for comments.