I'm working with another hacker on a bug. When we submit our bug, how do we handle splitting bounties?
Currently, splitting is a manual process. The bounty payment is sent to one address, and the whitehats can decide how to split it from there.
Can I change the bug’s severity level after I report it?
If the report status is in
Needs more information, the whitehat can ask Immunefi to change the severity level. After escalation, it needs to be discussed with and agreed upon by the project.
Why did I get a warning?
You probably violated one of our rules, but the violation wasn’t serious enough to merit a full ban. Three warnings will result in a permanent ban from the platform. Remember, each bug bounty program also has its own set of rules, which are available one each bug bounty page.
Why did I get banned?
As an elite bug bounty platform, we offer our hackers a lot of one-on-one support and treat them well. If you’ve been banned, it’s because you’ve violated some of our most important rules, probably repeatedly. Read our rules here to make sure you don’t violate them, and most importantly, don’t test exploits on mainnet or public testnet. Each bounty program page also has its own set of rules unique to that program.
Can I go public with my find if the project doesn’t consider it to be a bug?
Can I go public with my find if the project considers the bug a duplicate?
What happens if projects decide not to pay?
Bug bounties are very new in the Web3 space, so projects are still learning how to run successful and ethical bug bounty programs. Rarely, a project will decide not to pay. We will do everything we can to encourage projects to act ethically and responsibly, but if a project is generally non-responsive, we will remove them from our platform.
How fast does Immunefi respond to bug reports?
The fastest in the industry.
Can I re-open my report after it's been closed?
Only Immunefi can re-open your report. If you believe your report has been closed in error, please request help via the dashboard.
The project is being slow responding to my bug report. How do I get support?
When projects join Immunefi, they sign a Service Level Agreement which governs receipt, decision, and payout times. Please ping Immunefi in the bugs platform dashboard on your bug report if a project is taking longer than is allowed by the below table.
|Action||Severity Level||Response Time|
|Receipt of report||Critical||48 hours|
|All severity levels except critical||3-4 days, depending on holidays/weekends|
|Decision on report||High + Critical||Up to 14 days|
|Low + Medium||Up to 7 days|
|Payout for valid reports||High + Critical||Within 14 days|
|Low + Medium||Within 7 days|
How do I learn more about smart contract/blockchain hacking?
This is a big topic, but here are some simple steps to get started:
- Follow our Twitter account for educational resources, as well as the hashtag #immunefischool
- Join our Discord and learn from the top Web3 hackers
- Read through bugfix postmortems on our Medium to see a technical analysis of bugs that were reported and fixed via Immunefi
- Check out our blog post Hacking the Blockchain: An Ultimate Guide
- Check out resources for learning smart contract hacking our site
Why doesn’t Immunefi have more web assets in scope?
Immunefi is first and foremost a bug bounty platform for Web3, which includes blockchains themselves, NFT projects, and smart contracts in DeFi. The projects whose bounty programs we host often want their websites secured as well, but their main focus–and ours–is to protect their Web3 assets. That’s what sets us apart, and that’s what allows us to host the world’s largest bug bounties.
How do payouts work, and are they done only in crypto?
Projects only make payouts in crypto. Each project’s bug bounty program page on Immunefi specifies exactly what the payout terms are. Sometimes, the payouts are done in stablecoins like USDC (1 USDC is equivalent to one U.S. dollar). Other times, payouts are made in that project’s native token. Occasionally, it’s a mix of both, or BTC/ETH.
What if I find a vulnerability across multiple assets of the same project? Of different projects?
Although a vulnerability can exist across multiple assets, keep in mind only the first instance of each cited is eligible for a bounty reward. You can follow the guideline of: one bug, one patch, one payout.
If the same vulnerability is found in different project's assets, please file a new report for each.
Can I contact the project directly about a bug that I find?
No. In fact, doing so is against the rules and could result in a warning or a ban. Contacting a project directly is a rules violation because projects host their bug bounties on Immunefi specifically so that all communication is handled through our secure platform.
Additionally, contacting a project before submitting to Immunefi is also considered a violation and will result in no payout.
I think I’ve found a vulnerability, but I’m not sure. Can I share it with someone?
Do not share it on a public channel. You can share it privately to another whitehat you trust, but you will held responsible if the vulnerability is leaked and exploited.
If you consult with another whitehat, it’s your responsibility to figure out how to split any bounty. Immunefi and the project will not mediate in any dispute.
Is KYC required?
KYC isn’t required by default, and the vast majority of projects don’t require KYC. However, a few projects do.
When a program lists a website in scope, are other directories in scope? And subdomains?
All the directories will be included (site.com/something) but not the subdomains (something.site.com) by default, unless the program specifies otherwise.
How do I troubleshoot if I get an error message saying "This resource is secured against CSRF" when trying to send a message in a bug report submission?
This is an intended security mechanism and can be cleared by reloading/refreshing the page. If this does not work, try to log out of your Immunefi account and log back in.
Can I reserve a place as first reporter by submitting a report that is not yet fully complete?
No. Keeping a bug report open does not secure a "spot" as the first reporter, as only the first complete report escalated is what is considered to be the first one. You are welcome to resubmit when you are ready to have a fully completed report escalated to the project.
How do I create a wallet to receive payments for my bug finds?
We require that hackers use a wallet that is an externally owned account (EOA) to receive payment. We don't require that hackers use any particular wallet software, so long as the hacker is able to submit transactions and make signatures from that address.
Important: smart contract wallets are not supported. Centralized exchange (CEX) wallets are not supported. If you submit a smart contract or CEX wallet on the submission form, you're at your own risk. If your bounty payment goes into a black hole, we cannot retrieve it for you.
For non-EVM projects, it’s ok to enter all zeroes as the wallet address and then put the actual wallet address in the bug report.