This document is intended to provide clarity on how Immunefi mediates cases involving bug reports submitted with regards to code changes that are public, but have not yet been deployed on mainnet.
Bugs in undeployed code are only valid if the project publicly stated that code will be deployed without further changes, and the asset is in scope on the project’s bug bounty program.
Attribution
In cases where the project publicly stated that code will be deployed without further changes, given that there are no further modifications to the code to be done, the code is effectively attributed as deployed but with no variable impact.
This means that the impact is considered as real but that if there are any scaling aspects of a reward, such as the amount of funds at risk or the duration of freezing, it is scaled down to the minimum. The reasoning for this is that if it is to be considered as deployed code, there are no funds deposited or connected with the respective smart contract and thus the minimum rewards apply.
Requirements
If the project has listed their Assets in Scope as only their deployed code, proof must be submitted as well by the security researcher indicating that the project has declared the code will no longer be changed until deployment on mainnet.
The respective code must also relate directly to one of the assets listed in the Assets in Scope table, which may include Primacy of Impact if applicable.
Uncertainty if code will be deployed without further changes
Unless you can find an official statement within the respective governance portal, or a declaration by the project on official channels that the code will be deployed without further changes, it should be assumed that the code may have further changes before deployment. Thus, a bug report would not be considered in-scope.
Comments
0 comments
Article is closed for comments.