For any bug report which you confirm as valid and update to a
Confirmed state, you are required to issue a bounty reward to the whitehat according to the severity level.
Note: Before issuing a payout, you should align with the whitehat on the severity level and total reward amount. No payment should be sent until an agreement is reached. Please refer to your bug bounty program reward table as a reference point and ensure your offer aligns with the scope of your program at the time of submission.
Sending Bounty Reward Payouts
Payments are sent directly from projects to whitehats. The wallet address of the whitehat, shared at the time of submission of the bug report, will be displayed on the right side panel of the bug report itself.
Always confirm with the whitehat their wallet address before sending any payment. When advancing from
Paid status using Quick Actions, a template will auto populate for you and prompt you to reconfirm the whitehat's wallet address.
You can read more about advancing a report to payment/resolution in our Quick Actions article.
Paying with Project Tokens
You can pay bug bounty rewards with your project tokens so long as they have launched and they meet our liquidity requirement.
To determine whether or not your project token meets our liquidity requirement, you must check the 30 day average of 24hr trading volumes on CoinGecko.
- If your bug bounty program’s maximum bounty is less than 5 times the 30 day average of 24hr trading volumes, then the token has sufficient liquidity and you may use it to pay both the bug bounty reward and the Immunefi fee.
- If the bug bounty program’s maximum bounty is greater than 5 times the 30 day average of 24hr trading volumes, then the you will need to pay in stablecoin or a more liquid asset.
Paying Without an EVM Wallet
If the payout wallet of the whitehat is not on an EVM chain, please see the next video and section below.
If you need to make a payout that’s not on the EVM chain, the best way to handle this is similar to a regular managed payment, but with provided instructions on how to get paid on your network or one that you’ve chosen.
We have provided template text below with added space for instructional sections about the wallet creation process. Overall, communicate as best you can with the whitehat to make this process run smoothly.
"Thank you for sending in your bug report.
Based on our reward table, a [Submission_Type] submission with [Submission_Severity] severity comes with a reward of [Submission_Reward] to be paid in [Currency].
We sent the reward to the wallet you have provided, here is the tx id [Transaction_Address]
[Add additional information & instructions on your non-EVM chain]"