Working With Whitehats/Hackers
We have received a bug that the hacker says is critical, but we believe the severity level is lower than that, what should we do?
Please see our Help Center article on Lowering Severity.
For which types of vulnerabilities is a whitehat not allowed to go public within the 90-day embargo/waiting period?
- non-fixed even if well known
- non-fixed and duplicate
Working With Immunefi
Will you be able to write a Medium post / blog post about our bug bounty program?
Normally we do not write Medium posts for a client bug bounty program launch.
- There are 2 exceptions:
- We do offer Medium posts whenever there is a launch due to a DAO vote.
- We offer Medium posts when a new project / client is setting up their bug bounty program because they have had a prior hack, and are trying to recover their brand reputation. By posting to Medium, this will assist them in building back up their credibility and reputation
If you experience a critical vulnerability hack, there may be an opportunity for Immunefi to work with you to write a Post Mortem.
Can we be part of Immunefi’s bug bounty matching programs, such as the Armor or Binance Matching programs?
Please reach out via our combined team communications channel.
Is Immunefi able (or obligated) to help with live exploits occurring for a project?
We are very sorry but we were not able to help here. Doing incidence response is not something we are normally able to help with and neither is our community. We provided this help before but realized that we are not currently fully capable of offering it, so we stopped it until we are able to actually provide the service, though we are doing some experiments in the near future to get this service back up. Our whitehats are also just community members and not people contracted by Immunefi, so even those times we did incidence response, we had no whitehats in our community helping us. We're sorry as well that a bug bounty program was not able to prevent this hack.
What do I have to pay a 10% fee to Immunefi?
The 10% fee is what we charge for bugs found by our community and then reported through our platform. This fee is only charged whenever our services contribute to bringing value to your project.
Triaging, bug report submission reviews, and all other additional services are separate from this fee. On most other bug bounty platforms, these services are provided on a time-based cost structure (whether monthly or annually). In contrast, we offer our automated filtering as a free service.
I live in a jurisdiction that requires know-your-customer (KYC). Can Immunefi help with that? And what KYC details should I ask for?
No, Immunefi will not request or review personal documentation from whitehats. Instead, you should contact the whitehat directly to request these materials.
KYC requirements are not currently standardized in the crypto space. With that said, the usual requirement is for a national ID photo and a scan of a utility bill to show proof of residency.
How does KYC work on the platform?
We have a bug resolved through Immunefi, and we would like to collaborate on a post-mortem
Please reach out to Immunefi via our combined team communications channel.
Can I allow security researchers to test smart contracts and/or Blockchain/DLT vulnerabilities on my public testnet/mainnet?
Will Immunefi retweet a new product announcement for our project?
Article is closed for comments.