The final stage of a Paid report is to issue the Immunefi 10% fee.
The 10% fee is calculated based on the amount sent to the security researcher in the currency/coin used to pay them; the actual amount sent and not the outstanding rate at the time the transaction to Immunefi is sent. This is inclusive of any additional goodwill payout amount on top of what is already outlined in your reward table for a bug that has been fixed.
For bug reports that are rejected and no fix is made, and for situations where clients just want to thank the whitehat for their time and effort despite the bug report being rejected, no additional Immunefi fee payment is required and we will not request one.
Once you submit payment to the whitehat and mark the submission as status 'Paid', you will be sent instructions to pay the Immunefi fee.
Some notes on issuing this final payment:
- The 10% fee is in addition to what is paid the whitehat and is sent directly to Immunefi
- This should be sent in the currency / coin used to pay the whitehat
- You can pay with your project tokens so long as they have launched and are being traded with sufficient liquidity. For newer projects, we highly recommend paying out in stablecoins first until your project has gained some traction in the space.
- Vested payments to Immunefi are not permitted. The only exception is for bonus payments. Vesting is permitted on any bonus that is paid out as it is above the required amount to be delivered.
- You can send the payment to one of the following addresses under our own ENS:
- Solana: BNFqcQj55hmYhm5K4RMuWtxC5eDP6ZZ7ufg5HBwoFviK
- If you would like an invoice for your payout, please let us know via the submission thread, together with the following information. (However, an invoice is not required to be issued).
- Legal entity/person name
- Registered address
- Registration number
- Once submitted, please reply in the submission thread with the transaction id so Immunefi can fully resolve the bug report.