This article summarizes how audit competitions run on Immunefi from the project POV. It covers the timeline, project responsibilities, and major rules. SR (security researcher) oriented details are omitted.

You can request your audit competition here.

Timeline

Audit competitions occur over 4 stages. Scoping, Marketing, Competition Live, and Evaluation. By the end projects have received all bug reports (fully judged), SRs have been paid, and Immunefi has published the audit report and leaderboard.

The Scoping stage can be as short as 3 days. It includes defining the rewards, duration, and preparing the codebase for SRs.

The Marketing stage can be as short as 0 days. It includes marketing the competition to SRs.

The Competition Live stage can be as short as 7 days. It includes SRs submitting reports, Immunefi triaging them, the project resolving them, and both the project & Immunefi supporting SRs over Discord.

The Evaluation stage varies by report quantity & complexity, we aim for 10-28 days. It includes evaluating all bug reports and calculating how rewards will be distributed among SRs.

Project Responsibilities

Scoping Stage

• Confirm the scope, reward terms, and competition start & end date with Immunefi
• Prepare the codebase and testing suite
• Fund your Immunefi vault

Marketing Stage

• [Optional] Comarket the competition
• [Optional] Give SRs educational support over Discord and hype them up
  *Immunefi will create a Discord channel for supporting SRs in the competition

Competition Live Stage

• Resolve bug reports and respond to SR support queries within 48 hours on weekdays
  *SRs care strongly about responsiveness and can see a project's responsiveness by reading Discord and our weekly mid-competition stats
• No code updates may be made anywhere public
  *where exceptions are necessary further requirements will be established in the scoping stage

Evaluation Stage

• Resolve any outstanding bug reports
• Send payments to SRs according to Immunefi’s reward distribution calculation

Done! Now the project has received all bug reports, SRs have been paid, and Immunefi has published the audit report and leaderboard.

Major Rules

This section summarizes the major rules necessary to significantly save time & frustration. Minor rules can be found elsewhere, such as on the competition’s program page or in its reward terms article.

• In the event of a dispute, Immunefi has final say on judging, always according to the specific terms of the competition and our severity classification system
• When the competition has ended, the project has 7 days to finish evaluating reports, at which point Immunefi will make a decision on any unresolved reports
• Project payments to SRs are done in a stablecoin/ETH on either Ethereum or Optimism
• Unless Immunefi has made an exception, the code must be frozen during the competition and no code updates may be made public until the competition is over
  • Ensure your development team is aware. Code updates may significantly worsen results because they cause SRs to waste time bughunting on outdated code, as well, they publicly leak information about vulnerabilities which compromises the fairness of the competition, dissuading SRs from participating