Immunefi operates on a “no fix, no pay” policy, meaning that if a project decides not to fix a reported vulnerability, they are not obligated to pay the whitehat who reported it.
However, this policy is not limited to code fixes. It applies to all types of fixes, including those that do not include changes to code. For example, if a project were to implement an operational fix that would mitigate a reported vulnerability, then they would be required to pay the whitehat. All fixes implemented in response to a report represent value provided by the whitehat and they should be rewarded as per the parameters of the project’s bug bounty program.
A fix includes any action taken by the project that would serve to mitigate or reduce the harm done by a vulnerability.
Fixes include but are not limited to:
- Updating code
- Changing deployment methodology
- Switching to private RPC providers
- Revoking access to roles
- Updating protocol parameters
- Any operational action that mitigates or reduces the harm done by a vulnerability
If a project closes a report citing “no fix, no pay,” and later implements a fix, the whitehat should request mediation. The Immunefi team will then investigate whether a fix was implemented, and if so, the project will be obligated to provide a reward.
Comments
0 comments
Article is closed for comments.