Security researchers spend a lot of time and effort hunting bugs and writing up submissions. Therefore, it is often a good idea to offer goodwill payouts to whitehats even when a submission misses the mark. Doing so is a demonstration of good faith and it will often motivate hackers to continue hunting bugs for your program.
When should we offer goodwill payouts?
Generally, it is good practice to offer a goodwill payout when a whitehat submits an out-of-scope report that doesn't require a fix, but you want to encourage them to continue hunting for your bug bounty program. You may also choose to reward a whitehat for submissions that provide informational value or that are the result of substantial effort.
Do we have to pay the 10% Immunefi fee for goodwill payouts?
No. As goodwill payouts are delivered to thank a whitehat for their time and effort for reports that do not require a fix, or that provide only informational value, we will not ask projects for our fee.
Is there anything else we need to do for goodwill payouts?
Once you and the whitehat have agreed on the goodwill payment, you should change the severity level of the report to “Informational.” This signals that the report is not within the scope of the program, but is worth rewarding anyway.
Article is closed for comments.