A bug report is considered resolved when it is either:
- Rejected as invalid (marked with the 'Closed' status)
- Paid out by the project (marked with the 'Paid' status)
*Note that resolution for a `Paid` report does not necessarily have to include a fix to the vulnerability but only an acknowledgement and payment to the whitehat, affirming that it is a valid submission.
When resolving reports, do not:
- Downgrade the severity of a vulnerability without a clear reasoning
- Decide not to pay a vulnerability found in an asset in scope saying that the contract is unused
If a report is closed as out of scope and/or the project does not intend to fix the vulnerability, the whitehat may request further mediation assistance from Immunefi.
Whitehats may also publicize vulnerabilities as long as they follow the rules outlined in our Responsible Publication policy.
Please refer to our SLAs and Notifications article which details the required resolution times based on severity level of the report.