Is there any up front fee to be a part of Immunefi? How much do we have to pay to launch on your platform?
There is no onboarding fee, and there are no ongoing maintenance fees. You pay us only when you validate an escalated vulnerability and pay out the whitehat their bounty reward. The fee payment is an additional 10% on top of the reward paid out to the whitehat. Please see our related Help Center article on Immunefi Fee Payout and Issuing Payouts.
I am a new client. When should I begin receiving bug reports?
There may have been some bug reports sent already, but that were caught by our automated filtering and so have not been escalated to you as they were considered as spam. You will only see relevant, escalated bugs in the bug disclosure dashboard. See our Self Triaging Overview for more information.
After I launch, when should I expect to receive bug reports?
It’s normal for bug bounty programs to not receive bug reports immediately, though the first few weeks do tend to be the period with decent bug report activity, so please continue to be ready and ensure your technical team is on standby. However, as bug bounty programs are also designed to protect against long tail cybersecurity risk, it’s normal for bug reports to come in months after launch, as has been the case with some of our clients.
I didn't receive the verification email when trying to create my account. How do I have it re-sent?
Verification reminder banner and re-send verification email link visible in the below video.
How should we determine the bug bounty reward amount?
What's the total budget that should be set aside for the program?
We recommend setting aside a total budget that is 2-3 times your max critical payout. This should be enough in case your project receives a large number of valid bug reports within a short span of time.
What happens if I have an ongoing/upcoming audit?
My contracts are already similar-match verified and the source code is viewable. Why do I need to have it exact-match verified?
Does all code need to be open-sourced/publicly viewable?
Should I have a PoC requirement for my program?
Who decides on the severity of the bug reports?
How does the bug report filtering work?
Our team helps to filter out bug reports by verifying the whitehat’s claims against the bug bounty program rules. We do not, however, check to see if a whitehat's claims are factually correct. This is the responsibility of the project.
We also filter reports that do not contain sufficient information. All bug reports get filtered and are either closed, or escalated to your team.
Your team will have access to both closed and escalated reports. Your team will be immediately notified about escalated reports by email. You can also set up PagerDuty integration by following the steps listed here.
In contrast, your team will not be immediately notified about closed reports. Instead, you will receive a weekly digest with a list of all the closed reports, and you will be able to access the closed reports at any time.
Do note that escalated reports mean that they have passed through our filtering process, but it does not mean that the bug report is valid. Your team is in charge of validating the bug reports yourselves.
It is also important to note that the automated filtering service provided by our team does not check if the whitehat’s claims are factually correct, assess the submission severity, or analyze the PoC to understand the validity.
Article is closed for comments.