As a Project, you have the ability to discuss with the whitehat and make changes relating to the severity level of a report.
Instances when it may be acceptable to lower severity (with whitehat agreement):
- uncommon or incorrect action must be taken by the victim
- uncommon or incorrect action must be taken by an user with escalated privileges
- attacker needs escalated/admin privileges
- attacker needs key compromise
- no funds at risk
- attack requires repeated interaction over a long period of time (project may notice)
- attack requires adjacent network access or MITM network access
- attack requires physical access to the victim's computer
- attack requires brute-force complexity of over 40 bits
Keep in mind, this option should only be used when you can provide compelling rationale to backup your need to downgrade, and always give them opportunity to review your thought process and offer further comments before proceeding to resolving the report.
Through our Quick Actions panel, once you have Confirmed the status of a bug, you can select from the options below 'Report is valid and in-scope, but we want to lower the severity level and we are ready to pay'.
This will auto-populate template text for you begin discussions with the whitehat on lowering a severity level. Please note that when discussing a change in severity, you must provide a clear and detailed reasoning as to why. The whitehat will then have the ability to review and respond with any clarifying questions or further proof to back up their rationale on level of severity.
At any time, you can request further help from Immunefi by following the instructions here: How & When to Request Help
Please also see Issuing Payouts for related information.