Immunefi’s Safe Harbor provides the world’s most comprehensive legal protections and financial incentives for whitehats who engage in fund recovery actions during active exploits by blackhat hackers. When you see that a project has Safe Harbor enabled on Immunefi, you can be sure that your interventions to save funds during an active blackhat exploit will be appreciated, rewarded, and protected, so long as you follow the terms and conditions of Safe Harbor.
How do I know if a program has Safe Harbor enabled?
Programs with Safe Harbor activated will have a ‘Safe Harbor’ tab in the header of their bug bounty program page on Immunefi. Here is how it looks for Immunefi's own bug bounty program.
Clicking the ‘Safe Harbor’ tab will bring you more information about the Safe Harbor terms for this program. The Safe Harbor tab offers information on the program’s requirements, terms and conditions, and instructions for submitting a Safe Harbor report.
What do I need to know to submit a Safe Harbor report?
Before submitting a Safe Harbor report, it's important to familiarize yourself with the terms.
First, please pay special attention to the timeframe listed in the terms. Failure to return funds within the timeframe after the initial transaction stamp is a material breach of terms and conditions. If you breach the terms and conditions, you are not eligible for reward or protection under the Safe Harbor agreement.
Second, pay attention to the assets that are in scope for the program's Safe Harbor. Only those assets in scope are eligible under Safe Harbor. If you intervene in assets not in scope, you are not eligible for reward or protection.
Third, read the full terms of conditions on the bottom of the page.
How do I submit a Safe Harbor report?
Safe Harbor report submission to projects on Immunefi with Safe Harbor enabled takes place after you've already intervened to save funds during an active blackhat attack against that project.
Once you've intervened to save funds, click the ‘Return Funds’ button at the bottom of the Safe Harbor page.
You'll then be taken to the Safe Harbor report submission page, where you will proceed to accept the terms and conditions for submission and then immediately return the funds to the listed wallet address on the correct network. Here's how it looks like for Immunefi's Safe Harbor page.
You will not be able to proceed to submitting a Safe Harbor report until you confirm you have sent all funds obtained via intervention to the listed wallet address.
After you've confirmed that you've sent the entire amount of recovered funds, you can continue to the rest of the report submission page.
Safe Harbor reports follow the same lifecycle as regular bug bounty reports, and they are automatically given the ‘critical’ severity level.
Safe Harbor FAQs
Can I wait to return the funds until after my Safe Harbor report has been processed?
No. You must return the funds prior to submitting a Safe Harbor report, and this must be done within 6 hours of your intervention to save funds during an active blackhat attack.
What if I use the Safe Harbor submission form for something that isn’t Safe Harbor-related?
Doing so violates Immunefi rules, and you may receive a warning or outright account ban.
What happens if I fail to submit the recovered funds within the timeframe provided?
You will not be eligible for protection or reward under the terms of the Safe Harbor agreement. It is imperative that you read and follow the terms.
Is using MEV as a method to recover funds during an active blackhat attack okay?
Yes.
How do Safe Harbor rewards work?
The default reward amount is the standard 10% of funds saved–up to 60% of your max critical reward.
For example, if your max critical reward amount on your bug bounty page is $500,000, and the whitehat saves $900,000, then the whitehat reward would be $90,000. If the whitehat saves $3,500,000, the reward would be capped at $300,000, which is 60% of $500,000.
Why is the reward amount capped at 60% of the project’s maximum critical reward?
The reward amount is capped based on the project’s maximum critical reward to avoid creating incentives for very risky, on-chain funds recovery efforts.
The primary goal of Safe Harbor is to protect good samaritan whitehats who intervene to protect the community at large–not to displace bug bounty programs or encourage on-chain exploits. We believe that by capping the reward amount, we will minimize possible harm to projects while maximizing protections for good samaritan whitehats.
Can I publish my Safe Harbor report?
Safe Harbor reports are an extension of the project’s bug bounty program and are subject to the same responsible publication policy.
Comments
0 comments
Article is closed for comments.