The Out of Scope Filter is a new feature created to allow projects full visibility into submissions that were not previously escalated due to being out of scope based on their current bug bounty program. Multiple updates will be visible once a project has updated their targets and impacts with Immunefi.
Please see below for more details on the respective updates.
New Features for Projects:
- Silent Subscription & Access through 'Program Reports' page - Reports marked as out-of-scope can be viewed on the 'program reports' page by filtering for 'closed' reports. A column has been added to show reports tagged as out-of-scope or re-opened.
- New Submission Form - Projects will now have a new submission form that directly pulls targets and impacts from their bounty listing. We have also separated out the Proof of Concept from the report description to encourage whitehats to submit higher quality reports.
- Note: The new submission form will only show up on a project submission form if the project has updated their assets in scope and impacts in scope to have at least one of each. If their BBP does not have at least one of each, the submission form will appear as the currently used form.
- Email Digest - When Immunefi marks a report as out-of-scope, projects will be subscribed but not notified via email. Instead, projects will receive a weekly 'Email Digest' containing a list of out of scope reports sent to them. This will allow teams to look at all reports for their project should there be interest in viewing all submissions at any time.
- New Report View - Projects will also now have the new submission form data displayed on the report page. The view will show the target or impact that is out of scope in red text. Projects will be able to see if the whitehat has entered a Proof of Concept or not.
- Re-opening Reports - If a project looks at a report marked as out-of-scope, but decides the bug is legitimate, they will have the ability to re-open these reports to work with the whitehat and mitigate the vulnerability. This action can be done at the bottom of an out-of-scope report.