Do all of the bugs that are submitted show up in my view of the dashboard?
The dashboard will show any bugs that get escalated to your team after our light filtering process. We will also notify you via automated email notification of those bugs once they are escalated to you. Please see Triaging Overview for more information.
Do all the bugs that have been submitted to Immunefi show up in my dashboard?
There may have been some bug reports submitted already to Immunefi, but they were caught by our light filtering and so have not been escalated to you as they were considered as spam. See Triaging Overview for more information.
I am a new client. When should I begin receiving bug reports?
There may have been some bug reports sent already, but that were caught by our light filtering and so have not been escalated to you as they were considered as spam. You will only see relevant, escalated bugs in the bug disclosure dashboard. See Triaging Overview for more information.
How do I troubleshoot if I get an error message saying "This resource is secured against CSRF" when trying to send a message in a bug report submission?
This is an intended security mechanism and can be cleared by reloading/refreshing the page. If this does not work, try to log out of your Immunefi account and log back in.
After I launch, when should I expect to receive bug reports?
It’s normal for bug bounty programs to not receive bug reports immediately, though the first few weeks do tend to be the period with decent bug report activity, so please continue to be ready and ensure your technical team is on standby. However, as bug bounty programs are also designed to protect against long tail cybersecurity risk, it’s normal for bug reports to come in months after launch, as has been the case with some of our clients.
Where can we ask questions about a bug report or discuss details?
All discussions with regards to a specific bug report must be done in the respective bug report comment thread on the Immunefi dashboard. This is so we can mediate on any miscommunication issues and help enforce the terms of the bug bounty program as well as the site-wide rules (e.g embargoes, rules against harassment, etc.). Please note that according to the Immunefi Rules, the following is prohibited behavior, for whitehats and projects, alike:
- Attempting to route around Immunefi and communicating with a project directly
I would like to make a custom table for the categories in my bug bounty program.
Please reach out via our combined team communications channel.
Will you be able to write a Medium post / blog post about our bug bounty program?
Normally we do not write Medium posts for a client bug bounty program launch.
- There are 2 exceptions:
- We do offer Medium posts whenever there is a launch due to a DAO vote.
- We offer Medium posts when a new project / client is setting up their bug bounty program because they have had a prior hack, and are trying to recover their brand reputation. By posting to Medium, this will assist them in building back up their credibility and reputation
If you experience a critical vulnerability hack, there may be an opportunity for Immunefi to work with you to write a Post Mortem.
We would like to delete a contract. If a bug has been previously discovered what happens?
If you are deleting the contract that has an outstanding bug report on it, that existing bug report is still valid and the whitehat should be paid out a reward based on your reward table.
If we add a new team member to the Bugs Disclosure Dashboard, will they be able to see all the prior bugs reported?
By default, they will only see new bug reports. If you want the newly added team member to see prior bugs reported, an existing team member will need to manually subscribe the new team member into the report by selecting '+ Add a participant' from the right-side menu panel.
What type of content should we put in the Co-marketing messaging?
Please consult the Co-Marketing guide provided to you at Launch.
Where do clients normally place their “bug bounty website program link” on their webpage?
Please consult the Co-Marketing guide provided to you at Launch.
Can we be part of Immunefi’s bug bounty matching programs, such as the Armor or Binance Matching programs?
Please reach out via our combined team communications channel.
We have received a bug that the hacker says is critical, but we believe the severity level is lower than that, what should we do?
Please see our Help Center article on Lowering Severity.
We are an existing client with a bug bounty program and we are now adding new assets. Should we add them to our existing bug bounty program, or should we create a new bug bounty program with Immunefi?
We can create separate bounty program pages, and we’ve done so for some projects, but this is normally done when it’s a product with separate branding, and in most cases a separate team. Therefore, the normal process is to add assets to the existing bug bounty program. If there are any questions on this, please reach reach out via our combined team communications channel.
We would like to change our name /branding of our Project. How should we proceed?
Please reach out via our combined team communications channel.
We are going to put a link in our Github or write a Medium post. Is there anything that needs to be included?
Ensure that you link to your Immunefi bug bounty program. This ensures that your readers are directed to our site to access the details and scope of your bug bounty program.
We included a contract that we did not intend to include in our bug bounty program. Can you remove it?
This can be removed through a request via our combined team communications channel, however please note that should you have pending escalated bug report submissions, any assets listed on your bug bounty program at the time of submission must be considered as in-scope and the whitehat would therefore be eligible for a bounty reward.
I have a question on a bug report submitted in the Immunefi Bugs Disclosure Dashboard. Can we chat about this in our Telegram / Discord / Slack group?
For security reasons, please ensure all discussions relating to bug reports, technical or otherwise, remain within the Bugs Disclosure Dashboard.
We have a bug resolved through Immunefi, and we would like to collaborate on a post-mortem
Please reach out to Immunefi via our combined team communications channel.
For which types of vulnerabilities is a whitehat not allowed to go public within the 90-day embargo/waiting period?
- non-fixed
- non-fixed even if well known
- non-fixed and duplicate
We are starting a new project and are interested in launching an additional, completely new bug bounty program.
Please reach out via our combined team communications channel to discuss.
One of our team members has left the project. How can we remove them from having access to the Dashboard and our team communications channel with Immunefi?
Please reach out via our combined team communications channel.
Is there is a limit to the number of our team members that can be signed up for the Dashboard?
Currently, there is no limit.
Will I receive a notification if a valid bug report has been submitted?
Yes, you will be notified by automated email notification when a bug report is escalated to you. You can see it as well in the Immunefi Bugs Disclosure Dashboard. See also our Help Center article on SLAs & Notifications
When I reply in the dashboard, can I communicate with Immunefi only, or will the hackers also see the communications?
You can specify the audience of each of your messages. Please see our Help Center article on our Messaging System.
Is there any up front fee to be a part of Immunefi? How much do we have to pay to launch on your platform?
There is no onboarding fee, and there are no ongoing maintenance fees. You pay us only when you validate an escalated vulnerability and pay out the whitehat their bounty reward. The fee payment is an additional 10% on top of the reward paid out to the whitehat. Please see our related Help Center article on Immunefi Fee Payout and Issuing Payouts.
We are having a vote on increasing the reward values of our bug bounty program. How do we update our reward table?
Please reach out via our combined team communications channel.
How soon after a whitehat submits a bug will we receive the bug?
We provide light filtering and we escalate or respond to bug reports largely within 24 hours after submission. Bug reports with higher indicated severity have a considerably faster response / escalation time. For critical vulnerabilities it triggers PagerDuty on our end 24/7. Please see our Triaging Overview article for more information.
Does Immunefi support fiat-based bounties?
No we do not.
We would like “more eyes” / more attention on our bug bounty program from whitehats. Is this possible?
You can attract more whitehats to your code by significantly increasing your bug bounty reward amounts. If you do increase your rewards, we will be more than happy to tweet an announcement. Please reach out to our combined team communication channel to request.
We have recently updated our max bounty reward payout, but our Twitter thumbnail still shows the old value. Can you update this for us?
You can use https://cards-dev.twitter.com/validator to refresh the Twitter card / thumbnail image.
Are Immunefi’s fees are included in the bug bounty program payment to the whitehat?
No, the Immunefi fee of 10% is in addition to what you pay the whitehat and should be sent in the currency/ies used to pay them out. See our Immunefi Fee Payout article for more information.
Do I have to pay the 10% Immunefi fee for low impact good will payouts granted to whitehats?
No. As good will or good faith payouts are delivered to thank a whitehat for their time and effort for reports that are either out of scope or have only an informational impact, we will not ask projects for our fee.
We have new contracts. Is it required by Immunefi that we include them in our bug bounty program?
No, you are not required to include any specific contracts in your bug bounty program - it is your choice what to include and not to include as part of your scope.
We would like to change our form of payment to the whitehat.
Payouts to whitehats can be made in stablecoins, your own coins, bitcoin, etc. and we are happy to update your bounty program page to reflect this. Please reach out to us via our combined team communications channel.
How can hackers from your community that might have tech-related questions about our stack reach out and ask questions about the bounty?
The hackers in our community are masters of their craft and generally work to find bugs in code without significant context. Of course, the more comprehensive your documentation, the faster they’ll get to the bottom of your code (and the less likely they’ll give up before finding something).
They don’t typically ask questions of the developers for 2 reasons: if other hackers can see the questions they’re asking, it may lead someone else to find the bug first. also the questions they ask may lead developers to discover the bug independently.
How can we drive more volume of bug reports?
Here are some suggestions on how to drive more whitehat traffic to your bug bounty page to elicit more bug reports
- Increase bounty rewards
- Post about it on your socials monthly
- Design cool graphics to promote it
- Feature it in a prominent banner on your website
Updates to your Bug Bounty Program are also a great time to publicize on socials, such as when:
- new contracts (Assets) are added
- contracts are replaced with different contracts
- you fully update to a new version of your program (i.e. V1 to V2)
- you increase reward tier amounts
- you add a new section to your program, such as adding Web/App, when prior to you only had Smart Contracts
These milestones for your program are natural ways to promote and get eyes on your code especially when whitehats want a compelling new reason to look at / or revisit a bug bounty program.
We are also open to exploring the option of Discord hangouts - feel free to reach out via our direct communications channel to further discuss.
Is Immunefi able (or obligated) to help with live exploits occurring for a project?
We are very sorry but we were not able to help here. Doing incidence response is not something we are normally able to help with and neither is our community. We provided this help before but realized that we are not currently fully capable of offering it, so we stopped it until we are able to actually provide the service, though we are doing some experiments in the near future to get this service back up. Our whitehats are also just community members and not people contracted by Immunefi, so even those times we did incidence response, we had no whitehats in our community helping us. We're sorry as well that a bug bounty program was not able to prevent this hack.
How is "economic attack" defined as per Immunefi's severity ranking?
An economic attack isn't an impact, it's just a step in a kill-chain. The severity would depend on the outcome of a successful attack. If it results in draining the principal of the contract, then it would be critical. If it results in the attack receiving an unfair allocation of yield, then it would be high. If it results in the contract not producing any yield, but no value goes to the attacker, it would be medium. Those are just examples, but is intended to illustrate how the mechanism of the attack is separated from the impact of the attack.
Are rewards required to be delivered as outlined in the project Bug Bounty program?
All bug reports should be assessed and rewarded based on the scope of the BBP at the time of the report's submission.
Can bounty rewards and the Immunefi fee be paid through vesting?
We allow clients to set vesting terms for their payout to the whitehat, as long as it’s displayed information in their bug bounty program. However, Immunefi’s fee cannot be with vesting.
I didn't receive the verification email when trying to create my account. How do I have it re-sent?
Verification reminder banner and re-send verification email link visible in the below video.
Comments
0 comments
Please sign in to leave a comment.