The final stage of a Paid report is to issue the Immunefi 10% fee.
The 10% fee is calculated based on the amount sent to the Whitehat in the currency/coin used to pay them; the actual amount sent and not the outstanding rate at the time the transaction to Immunefi is sent.
For bug reports that are rejected and no fix is made, and for situations where clients just want to thank the whitehat for their time and effort despite the bug report being rejected, no additional Immunefi fee payment is required and we will not request one.
However, if a report is out of scope but you decide to make a fix, then you should pay the whitehat and provide the Immunefi fee.
Once you submit payment to the whitehat and mark the submission as status 'Paid', you will be sent instructions to pay the Immunefi fee.
Some notes on issuing this final payment:
- The 10% fee is in addition to what is paid the whitehat and is sent directly to Immunefi.
- This should be sent in the currency / coin used to pay the whitehat.
- You can pay with your project tokens so long as they have launched and they meet our liquidity requirement (see below).
- Vested payments to Immunefi are not permitted. If you plan to pay a whitehat with vested payments, you must pay the Immunefi fee in full before paying any installments to the whitehat.
- You can send the payment to one of the following addresses under our own ENS:
- Solana: BNFqcQj55hmYhm5K4RMuWtxC5eDP6ZZ7ufg5HBwoFviK
- Polkadot: 146HFoxMZP3GCeQ9B6oGFc4RyLgjjFJgkpPLrJvjchY6atFA
- Kusama: Ddv3eDC9WnWV5iiH1f4KWyBQAdjiJaWSjWZR51yRV1JwZA6
- NEAR: e3ca1e2d000a6511bee0387c29ecaf3d76777e47c94a08bc20c147078e1383dc
- btc: https://www.blockchain.com/btc/address/bc1qur7agz8npy5rn5pnxwpzay2mhcqr 9y54yhka5q
- Thorchain: https://viewblock.io/thorchain/address/thor1djv6y2fphgf27je685ygxrkyqyu2su2 6rdqxx0
- Optimism: https://optimistic.etherscan.io/address/0xada7F6748031a60F194Afbc0cd2101833ac07909
- If you would like an invoice for your payout, please let us know via the submission thread, together with the following information. (However, an invoice is not required to be issued).
- Legal entity/person name
- Registered address
- Registration number
- Once submitted, please reply in the submission thread with the transaction id so Immunefi can fully resolve the bug report.
Liquidity Requirement for Project Tokens
To determine whether or not your project token meets our liquidity requirement, you must check the 30 day average of 24hr trading volumes on CoinGecko.
- If your bug bounty program’s maximum bounty is less than 5 times the 30 day average of 24hr trading volumes, then the token has sufficient liquidity and you may use it to pay both the bug bounty reward and the Immunefi fee.
- If your bug bounty program’s maximum bounty is greater than 5 times the 30 day average of 24hr trading volumes, then the you will need to pay in stablecoin or a more liquid asset.