Safe Harbor provides projects with a secure solution for whitehat recovery of funds on your protocol only during active blackhat exploits. Immunefi’s implementation of the Security Alliance’s robust Safe Harbor framework, coupled with our extensive security community, provides a solution that integrates with your existing bug bounty infrastructure. This ensures that our top-tier security researcher community has a credible and safe channel for returning funds when other security measures fail.
How to get Safe Harbor
If you’re interested in getting Safe Harbor for your project, please fill out the Safe Harbor form here, and an Immunefi representative will contact you with more details. The signup and onboarding process is simple and includes setting up a Vault on Immunefi for whitehats to send any recovery funds. To read more about Immunefi Vaults, see here.
How to activate/deactivate Safe Harbor
Safe Harbor can only be activated by a program manager after the terms and conditions have been signed.
To activate Safe Harbor, go to the ‘Safe Harbor’ tab in the Dashboard and click the ‘Activation Procedure’ button. Then, click the ‘Activate’ button in the popup window.
Once Safe Harbor is enabled, you will be taken to the Safe Harbor-activated page. From here, you can deactivate Safe Harbor by clicking the ‘Turn off’ button.
You can also view your public Safe Harbor page by clicking the ‘View public page’ button. This will show you what security researchers see when they view your Safe Harbor program.
How to select Safe Harbor assets
You can choose which assets you want to be covered by Safe Harbort. Please communicate with your account manager on which assets you want
How to see which assets are eligible for Safe Harbor
There are two ways.
First, you can check in the Dashboard.
Second, you can check on your public bug bounty program page on the Safe Harbor tab. For example, this is the entry for Immunefi's bug bounty program page.
If you want to change the list of eligible assets, please contact your Account Manager.
How to see the history of Safe Harbor changes
In the Dashboard, you can see the history of Safe Harbor changes made here, which includes items like the creation date and asset change dates.
Where are recovery funds sent to?
At the bottom of the Safe Harbor-activated page, you will see the Vault address that security researchers will use to return your funds. This address is the address of the Vault you will have already set up via Immunefi. You can also see the owner wallet address that you can use to retrieve funds from the Vault.
How to retrieve funds recovered through Safe Harbor
Withdrawing funds from your Safe Harbor vault is the same as withdrawing from any other vault. You can read more about withdrawing from vaults in our Vaults System help center article.
How do I pay whitehats for recovery of funds?
Paying whitehats for their recovery of funds works just like paying whitehats in regular bug reports. The flow is the same. However, the whitehat reward amount is determined by the percentage listed on your Safe Harbor page.
The default reward amount is the standard 10% of funds saved–up to 60% of your max critical reward.
For example, if your max critical reward amount on your bug bounty page is $500,000, and the whitehat saves $900,000, then the whitehat reward would be $90,000. If the whitehat saves $3,500,000, the reward would be capped at $300,000, which is 60% of $500,000.
Safe Harbor FAQ
How are Safe Harbor reports processed?
Safe Harbor reports have the same lifecycle as regular bug bounty reports and are processed the same way through the report page.
How is the severity level for a Safe Harbor report determined?
All Safe Harbor reports are automatically given the ‘critical’ severity level.
Comments
0 comments
Article is closed for comments.