Bug Bounty Report FAQs
How do I troubleshoot if I get an error message saying "This resource is secured against CSRF" when trying to send a message in a bug report submission?
This is an intended security mechanism and can be cleared by reloading/refreshing the page. If this does not work, try to log out of your Immunefi account and log back in.
Where can we ask questions about a bug report or discuss details?
All discussions with regards to a specific bug report must be done in the respective bug report comment thread on the Immunefi Dashboard. This is so we can mediate on any miscommunication issues and help enforce the terms of the bug bounty program as well as the site-wide rules (e.g embargoes, rules against harassment, etc.). Please note that according to the Immunefi Rules, the following is prohibited behavior, for whitehats and projects, alike:
Attempting to route around Immunefi and communicating with a project directly
Do I have to pay a whitehat if a bug report submission was closed as out of scope, but our project fixed the reported issue anyway?
Your project is not required to provide a payout for an out of scope report. However, it is strongly recommended to provide a reward as a sign of good faith in their work and to encourage further bug hunting.
I have a question on a bug report submitted in the Immunefi Bugs Disclosure Dashboard. Can we chat about this in our Telegram / Discord / Slack group?
For security reasons, please ensure all discussions relating to bug reports, technical or otherwise, remain within the Bugs Disclosure Dashboard.
Will I receive a notification if a valid bug report has been submitted?
Yes, you will be notified by automated email notification when a bug report is escalated to you. You can see it as well in the Immunefi Bugs Disclosure Dashboard. See also our Help Center article on SLAs & Notifications
How soon after a whitehat submits a bug will we receive the bug report?
We provide automated filtering and we escalate or respond to bug reports largely within 24 hours after submission. Bug reports with higher indicated severity have a considerably faster response / escalation time. For critical vulnerabilities it triggers PagerDuty on our end 24/7. Please see our Self Triaging Overview article for more information.
How does the bug report filtering work and do all the bugs that have been submitted to Immunefi show up in my Dashboard?
We perform automated filtering on all reports that are submitted to your program (unless you have manually disabled this feature) to weed out spam before it is escalated to you. However, you still need self triage reports to determine whether or not they are valid and in scope of your bug bounty program. Please see our Automated Filtering and Self Triaging Overview articles for more information.
We confirmed a report and implemented a fix. However, we have received a second report that covers the same vulnerability but bypasses the fix. Can we close the second report as a duplicate?
If the second report bypasses the original fix, then the bug is valid and should be rewarded. After all, the second report demonstrated that there is a vulnerability that could be exploited. For more information on when it is acceptable to close a report as a duplicate, see our Duplicate Reports article.
Why do we need verification for deployed addresses?
What happens if a whitehat submits a valid report but is banned before being paid? Do we still have to reward the whitehat?
No, but you will still need to pay the Immunefi fee.
Can we reopen a closed bug report submission?
You can reopen a closed submission if it has been marked as out of scope by our automated filtering system. Follow the steps outlined in this article to do so. If you have already reopened the submission once before and closed it again, you will need to use the 'Request for Help' button so that a member of our team can reopen the submission for you.
Note that you can still interact with the whitehat in a closed submission if you need to do so.
Bug Bounty Program FAQs
How do we handle future modifications and changes to our bug bounty program?
I would like to make a custom table for the categories in my bug bounty program.
Please reach out via our team Telegram communications channel.
Does Immunefi know how adding Proof of Concept (PoC) requirements will affect the number of bug reports I can expect to receive?
We do not currently have data tracking relating to PoC requirements. This is an effort we may undertake in the future.
We would like to delete a contract. If a bug has been previously discovered what happens?
If you are deleting the contract that has an outstanding bug report on it, that existing bug report is still valid and the whitehat should be paid out a reward based on your reward table.
If we add a new team member to the Bugs Disclosure Dashboard, will they be able to see all the prior bugs reported?
By default, they will only see new bug reports. If you want the newly added team member to see prior bugs reported, an existing team member will need to manually subscribe the new team member into the report by selecting '+ Add a participant' from the right-side menu panel.
What type of content should we put in the Co-marketing messaging?
Please consult the Co-Marketing guide provided to you at Launch.
Where do clients normally place their “bug bounty website program link” on their webpage?
Please consult the Co-Marketing guide provided to you at Launch.
We are an existing client with a bug bounty program and we are now adding new assets. Should we add them to our existing bug bounty program, or should we create a new bug bounty program with Immunefi?
We can create separate bounty program pages, and we’ve done so for some projects, but this is normally done when it’s a product with separate branding, and in most cases a separate team. Therefore, the normal process is to add assets to the existing bug bounty program. If there are any questions on this, please reach reach out via our combined team communications channel.
We would like to change our name/branding of our Project. How should we proceed?
Please reach out via our combined team communications channel.
We are going to put a link in our Github or write a Medium post. Is there anything that needs to be included?
Ensure that you link to your Immunefi bug bounty program. This ensures that your readers are directed to our site to access the details and scope of your bug bounty program.
We included a contract that we did not intend to include in our bug bounty program. Can you remove it?
This can be removed through a request via our combined team communications channel, however please note that should you have pending escalated bug report submissions, any assets listed on your bug bounty program at the time of submission must be considered as in-scope and the whitehat would therefore be eligible for a bounty reward.
We are starting a new project and are interested in launching an additional, completely new bug bounty program.
Please reach out via our combined team communications channel to discuss.
One of our team members has left the project. How can we remove them from having access to the Dashboard and our team communications channel with Immunefi?
Please reach out via our combined team communications channel.
Is there is a limit to the number of our team members that can be signed up for the Dashboard?
Currently, there is no limit.
When I reply in the dashboard, can I communicate with Immunefi only, or will the hackers also see the communications?
You can specify the audience of each of your messages. Please see our Help Center article on our Messaging System.
We are having a vote on increasing the reward values of our bug bounty program. How do we update our reward table?
Please reach out via our combined team communications channel.
Does Immunefi support fiat-based bounties?
No we do not.
Does Immunefi know how requiring KYC may affect the number of bug reports I can expect to receive?
We do not currently have data tracking relating to KYC. This is an effort we may undertake in the future.
We would like more attention on our bug bounty program from whitehats. Is this possible?
You can attract more whitehats to your code by significantly increasing your bug bounty reward amounts. If you do increase your rewards, we will be more than happy to tweet an announcement. Please reach out to our combined team communication channel to request.
We have recently updated our max bounty reward payout, but our Twitter thumbnail still shows the old value. Can you update this for us?
You can use https://cards-dev.twitter.com/validator to refresh the Twitter card / thumbnail image.
Are Immunefi’s fees are included in the bug bounty program payment to the whitehat?
No, the Immunefi fee of 10% is in addition to what you pay the whitehat and should be sent in the currency or currencies used to pay them out. See our Immunefi Fee Payout article for more information.
Do I have to pay the 10% Immunefi fee for good will payouts granted to whitehats?
No. As good will or good faith payouts are delivered to thank a whitehat for their time and effort for reports that do not require a fix, are out of scope, or that provide only informational value, we will not ask projects for our fee.
We have new contracts. Is it required by Immunefi that we include them in our bug bounty program?
No, you are not required to include any specific contracts in your bug bounty program - it is your choice what to include and not to include as part of your scope.
We would like to change our form of payment to the whitehat.
Payouts to whitehats can be made in stablecoins, your own coins, bitcoin, etc. and we are happy to update your bounty program page to reflect this. Please reach out to us via our combined team communications channel.
How can hackers from your community that might have tech-related questions about our stack reach out and ask questions about the bounty?
The hackers in our community are masters of their craft and generally work to find bugs in code without significant context. Of course, the more comprehensive your documentation, the faster they’ll get to the bottom of your code (and the less likely they’ll give up before finding something).
They don’t typically ask questions of the developers for 2 reasons: if other hackers can see the questions they’re asking, it may lead someone else to find the bug first. also the questions they ask may lead developers to discover the bug independently.
How can we drive more volume of bug reports?
Here are some suggestions on how to drive more whitehat traffic to your bug bounty page to elicit more bug reports:
- Increase bounty rewards
- Post about it on your socials monthly
- Design cool graphics to promote it
- Feature it in a prominent banner on your website
Updates to your Bug Bounty Program are also a great time to publicize on socials, such as when:
- new contracts (Assets) are added
- contracts are replaced with different contracts
- you fully update to a new version of your program (i.e. V1 to V2)
- you increase reward tier amounts
- you add a new section to your program, such as adding Web/App, when prior to you only had Smart Contracts
These milestones for your program are natural ways to promote and get eyes on your code especially when whitehats want a compelling new reason to look at / or revisit a bug bounty program.
We are also open to exploring the option of Discord hangouts - feel free to reach out via our direct communications channel to further discuss.
How is "economic attack" defined as per Immunefi's severity ranking?
An economic attack isn't an impact, it's just a step in a kill-chain. The severity would depend on the outcome of a successful attack. If it results in draining the principal of the contract, then it would be critical. If it results in the attack receiving an unfair allocation of yield, then it would be high. If it results in the contract not producing any yield, but no value goes to the attacker, it would be medium. Those are just examples, but is intended to illustrate how the mechanism of the attack is separated from the impact of the attack.
Are rewards required to be delivered as outlined in the project Bug Bounty program?
All bug reports should be assessed and rewarded based on the scope of the BBP at the time of the report's submission.
Can bounty rewards be paid through vesting?
We allow clients to set vesting terms for their payout to the whitehat, as long as it’s displayed information in their bug bounty program.
Can the Immunefi fee be paid through vesting?
Immunefi’s fee cannot be paid with vesting.
Can bonus bounty amounts and related Immunefi fees from the bonus amount be paid through vesting?
Yes. Bonuses in addition to the required reward amounts to the whitehat are treated differently than the rewards committed to by the project. Vesting is allowed on these rewards and subsequent fees as they were not required to be provided from the project and are above and beyond what was to be paid out.
The best thing to do would be to report the bug yourselves on our dashboard and indicate that the report was submitted by a team member, with '[INTERNAL]' in the title of the report. All reports are time-stamped, and in the event of a duplicate submission, we would be able to verify that a member of the team submitted the bug report first.
How do we change or add new admins for our bug bounty program?
You can add new users and admins to your program by following the steps outlined in this article. If you need to remove an admin or change roles from an admin to a user, please reach out to us on telegram.
What is a duplicate report?
A report is a duplicate when it showcases the same vulnerability as another report that has already been submitted to the project on the Immunefi platform. Only the first report to identify a vulnerability is paid a reward.
For example; if Report 11894 and Report 12001 both detail the same re-entrancy vulnerability but Report 11894 was submitted first, then Report 12001 is a duplicate and is not eligible for reward.
What counts as a known issue?
A known issue is a vulnerability that a project can prove was already known to them before it was identified in a bug report. There are several ways that projects can prove that a vulnerability is known. See our Known Issues article for more information.
What is an impact and how does it work?
An impact is the damage that a vulnerability could cause a project (e.g. X amount of funds could be stolen through Y vulnerability). If the report can’t identify an impact, then it is not eligible for a reward.
Comments
0 comments
Article is closed for comments.