Working with Whitehats and Immunefi FAQs – Immunefi

Working With Whitehats/Hackers

We have received a bug that the hacker says is critical, but we believe the severity level is lower than that, what should we do?

Please see our Help Center article on Lowering Severity.

For which types of vulnerabilities is a whitehat not allowed to go public within the 90-day embargo/waiting period?

non-fixed
non-fixed even if well known
non-fixed and duplicate

We did not fix our code as a result of a reported vulnerability, but the whitehat is insisting on a reward payout. Do we need to pay?

A project is only required to pay a bounty reward if the reported vulnerability is in scope for your bug bounty program and you fix your code based on the bug report provided. If you decide not to fix a vulnerability, you are not obliged to pay a reward.

With that said, if a vulnerability is out of scope but you decide to fix it anyway, we strongly recommend that you reward the whitehat for their work.

Working With Immunefi

Will you be able to write a Medium post / blog post about our bug bounty program?

Normally we do not write Medium posts for a client bug bounty program launch.

There are 2 exceptions:
- We do offer Medium posts whenever there is a launch due to a DAO vote.
- We offer Medium posts when a new project / client is setting up their bug bounty program because they have had a prior hack, and are trying to recover their brand reputation. By posting to Medium, this will assist them in building back up their credibility and reputation

If you experience a critical vulnerability hack, there may be an opportunity for Immunefi to work with you to write a Post Mortem.

Can we be part of Immunefi’s bug bounty matching programs, such as the Armor or Binance Matching programs?

Please reach out via our combined team communications channel.

Is Immunefi able (or obligated) to help with live exploits occurring for a project?

We are very sorry but we were not able to help here. Doing incidence response is not something we are normally able to help with and neither is our community. We provided this help before but realized that we are not currently fully capable of offering it, so we stopped it until we are able to actually provide the service, though we are doing some experiments in the near future to get this service back up. Our whitehats are also just community members and not people contracted by Immunefi, so even those times we did incidence response, we had no whitehats in our community helping us. We're sorry as well that a bug bounty program was not able to prevent this hack.

What do I have to pay a 10% fee to Immunefi?

The 10% fee is what we charge for bugs found by our community and then reported through our platform. This fee is only charged whenever our services contribute to bringing value to your project.

Triaging, bug report submission reviews, and all other additional services are separate from this fee. On most other bug bounty platforms, these services are provided on a time-based cost structure (whether monthly or annually). In contrast, we offer our automated filtering as a free service.

I live in a jurisdiction that requires know-your-customer (KYC). Can Immunefi help with that? And what KYC details should I ask for?

No, Immunefi will not request or review personal documentation from whitehats. Instead, you should contact the whitehat directly to request these materials.

KYC requirements are not currently standardized in the crypto space. With that said, the usual requirement is for a national ID photo and a scan of a utility bill to show proof of residency.

How does KYC work on the platform?

Immunefi does not conduct any KYC verification on our platform. You are allowed to request for KYC for your bounty programs, but you are in-charge of conducting the KYC verification yourselves.

This is usually done by asking for details to be provided over the dashboard, but some projects have also set up their own KYC portals for verification.

We have a bug resolved through Immunefi, and we would like to collaborate on a post-mortem

Please reach out to Immunefi via our combined team communications channel.

Can I allow security researchers to test smart contracts and/or Blockchain/DLT vulnerabilities on my public testnet/mainnet?

Unfortunately, this is something we do not allow on our platform. Even though public testing of exploits may not be detrimental to your own protocol, this would still expose the vulnerability to the public and may lead to unpredictable consequences for other protocols.

Will Immunefi retweet a new product announcement for our project?

Normally, we try to restrict our retweets to new contracts being added or bug bounty amounts upgraded, but even this is getting more selective due to our growing number of clients. If you believe that your tweet meets our criteria, contact us on Twitter or Telegram to make the request.

Related articles