I'm working with another hacker on a bug. When we submit our bug, how do we handle splitting bounties?
Currently, splitting is a manual process. The bounty payment is sent to one address, and the whitehats can decide how to split it from there.
Can I change the bug’s severity level after I report it?
If the report status is in
Needs more information, the whitehat can ask Immunefi to change the severity level. After escalation, it needs to be discussed with and agreed upon by the project.
- the bug is a duplicate
- the bug is well-known to the project, and the project can supply appropriate proof
- the bug is a non-security issue (e.g. low-level UI bug), so even if fixed does not require payout
- the project decides not to fix the bug
Can I go public with my find if the report is closed as out of scope and/or the project doesn’t consider it to be a bug?
Yes, you may go public under these conditions:
- 30 days have passed since the report was closed
- The report was not closed as a duplicate or well-known issue
Can I go public with my find if the project considers the bug a duplicate or a well-known issue?
Can I go public with my find if the bug is fixed and paid?
Yes. When your bug report is fixed and paid, you may go public with the report at your convenience. You are encouraged to coordinate with Immunefi and/or the project on your publication.
Can I go public with my find if the project has not resolved my submission?
You may go public if the project has not resolved your submission after 90 days from the time of escalation despite requesting assistance, unless a mediation process is still ongoing. You may not go public if your bug report is rejected as a duplicate or a well-known issue.
When I try to submit a bug report, the dashboard tells me to try again in 48 hours. Why?
Immunefi ratelimits all bug reports to encourage whitehats to focus on submitting the highest quality reports.
Whitehats are currently allowed to submit a maximum of 5 reports per 48-hour period. Once you’ve submitted 5 reports, you will have to wait 48 hours to submit more.
Are rewards required to be delivered as outlined in the project Bug Bounty program?
All bug reports should be assessed and rewarded based on the scope of the BBP at the time of the report's submission.
What happens if projects decide not to pay?
Bug bounties are very new in the Web3 space, so projects are still learning how to run successful and ethical bug bounty programs. Rarely, a project will decide not to pay. We will do everything we can to encourage projects to act ethically and responsibly, but if a project is generally non-responsive, we will remove them from our platform.
How fast does Immunefi respond to bug reports?
The fastest in the industry.
Can I re-open my report after it's been closed?
Only Immunefi and the Project can re-open your report. If you believe your report has been closed in error, please Request Help from Immunefi.
How do I learn more about smart contract/blockchain hacking?
This is a big topic, but here are some simple steps to get started:
- Follow our Twitter account for educational resources, as well as the hashtag #immunefischool
- Join our Discord and learn from the top Web3 hackers
- Read through bugfix postmortems on our Medium to see a technical analysis of bugs that were reported and fixed via Immunefi
- Check out our blog post Hacking the Blockchain: An Ultimate Guide
- Check out resources for learning smart contract hacking our site
How do payouts work, and are they done only in crypto?
Projects only make payouts in crypto. Each project’s bug bounty program page on Immunefi specifies exactly what the payout terms are. Sometimes, the payouts are done in stablecoins like USDC (1 USDC is equivalent to one U.S. dollar). Other times, payouts are made in that project’s native token. Occasionally, it’s a mix of both, or BTC/ETH.
Once a project confirms the vulnerability you have reported and updated status to `Confirmed`, they will then reconfirm with you the severity level and reward payout amount as well as the wallet address to which they should send the bounty payout. The transaction is directly between you and the project, so do confirm all details are correct before they issue it. At any time you can reach out to request mediation assistance.
Why are some bounty rewards offered as vested tokens instead of non-vested tokens?
Not many projects offer bounty rewards as vested tokens, which are released to the whitehat on a set schedule.
However, some projects do pay rewards in vested tokens. Immunefi initially did not allow vested tokens, and the initial policy still holds for Immunefi’s fee, but projects and whitehats requested that vested tokens be allowed, so that some projects could offer much larger bounty rewards. The point of this policy change was to allow whitehats to hunt on whichever bug bounty programs suits their requirements the most.
I reported a critical vulnerability - when can I get an Immunefi Hoodie?
Due to production issues, we are currently suspending the issuance of hoodies to whitehats until we can find a new solution for hoodie production and shipping. Stay tuned for the next edition of hoodies.
What if I find a vulnerability across multiple assets of the same project? Of different projects?
Although a vulnerability can exist across multiple assets, keep in mind only the first instance of each cited is eligible for a bounty reward. You can follow the guideline of: one bug, one patch, one payout.
If the same vulnerability is found in different project's assets, please file a new report for each.
The project closed or downgraded the severity of my report and are claiming they requested an update to their bug bounty program prior to my submission. The change they are claiming was not published on their program page at the time of my submission. What happens now?
If a project logs a bug bounty program change request with Immunefi and a new bug report is submitted after, it will be reviewed against the updated version of the program, although it might not yet be publicly published. If there are any doubts, please reach out to Immunefi to verify the timeline of events.
I think I’ve found a vulnerability, but I’m not sure. Can I share it with someone?
Do not share it on a public channel. You can share it privately to another whitehat you trust, but you will held responsible if the vulnerability is leaked and exploited.
If you consult with another whitehat, it’s your responsibility to figure out how to split any bounty. Immunefi and the project will not mediate in any dispute.
When a program lists a website in scope, are other directories in scope? And subdomains?
All the directories will be included (site.com/something) but not the subdomains (something.site.com) by default, unless the program specifies otherwise.
How do I troubleshoot if I get an error message saying "This resource is secured against CSRF" when trying to send a message in a bug report submission?
This is an intended security mechanism and can be cleared by reloading/refreshing the page. If this does not work, try to log out of your Immunefi account and log back in.
Can I reserve a place as first reporter by submitting a report that is not yet fully complete?
No. Keeping a bug report open does not secure a "spot" as the first reporter, as only the first complete report escalated is what is considered to be the first one. You are welcome to resubmit when you are ready to have a fully completed report escalated to the project.
The project is being slow responding to my bug report. What are their required response times / SLAs?
When projects join Immunefi, they sign an Operational Agreement with Service Level Agreements (SLAs) which governs receipt, decision, and payout times. If a project breaches any of the time frames below, please see the following article on how to request help from Immunefi.
|Action||Severity Level||Response Time|
|Acknowledgement of report||Critical||48 hours|
|All severity levels except critical||3-4 days, depending on holidays/weekends|
|Decision on report||High + Critical||Up to 14 days|
|Low + Medium||Up to 7 days|
|Payout for valid reports||High + Critical||Within 14 days|
|Low + Medium||Within 7 days|
How do I create a wallet to receive payments for my bug finds?
We require that hackers use a wallet that is an externally owned account (EOA) to receive payment. We don't require that hackers use any particular wallet software, so long as the hacker is able to submit transactions and make signatures from that address.
Important: smart contract wallets are not supported. Centralized exchange (CEX) wallets are not supported. If you submit a smart contract or CEX wallet on the submission form, you're at your own risk. If your bounty payment goes into a black hole, we cannot retrieve it for you.
For non-EVM projects, it’s ok to enter all zeroes as the wallet address and then put the actual wallet address in the bug report.
How do I change my wallet address in a submitted bug report?
At the moment, we do not have a way for you to edit your wallet address. However, you can simply update the project team once a report is in `Confirmed` status and advise them of your requested wallet address. Projects should reconfirm with you your address, prior to sending any reward payout.
Can I contact the project directly about a bug that I find?
No. In fact, doing so is against the rules and could result in a warning or a ban. Contacting a project directly is a rules violation because projects host their bug bounties on Immunefi specifically so that all communication is handled through our secure platform.
Additionally, contacting a project before submitting to Immunefi is also considered a violation and will result in no payout.
What is a duplicate report?
A report is a duplicate when it showcases the same vulnerability as another report that has already been submitted to the project on the Immunefi platform. Only the first report to identify a vulnerability is paid a reward.
For example; if Report 11894 and Report 12001 both detail the same re-entrancy vulnerability but Report 11894 was submitted first, then Report 12001 is a duplicate and is not eligible for reward.
What counts as a known vulnerability?
A known vulnerability is a vulnerability that a project can prove was already known to them before it was identified in a bug report. Projects can prove that a vulnerability is known by providing a github issue, formal documentation, or by self-reporting it on Immunefi (which then makes any subsequent reports documenting the same vulnerability into duplicate reports).
What is an impact and how does it work?
An impact is the damage that a vulnerability could cause a project (e.g. X amount of funds could be stolen through Y vulnerability). If the report can’t identify an impact, then it is not eligible for a reward.
Article is closed for comments.