Immunefi

Immunefi is a bug bounty platform hosted by a consortium of companies active in the cybersecurity space. It aims to make cybersecurity more accessible to the cryptocurrency industry as well as the wider cyberspace.

Immunefi is interested in securing their bug bounty Whitehat Protocol and website. Primary areas of concern are around the modification of information on the website, leakage and loss of client data, and leakage of communicated information from clients to the company.

Rewards are distributed according to the exploitability level of the vulnerability and its impact based on the Immunefi Vulnerability Severity Classification System.

Payouts are handled by Immunefi directly and are denominated in USD.

Immunefi is aware of issues regarding sanitization of Markdown in bug reports. As of 2021 May 28 14:30 UTC, Immunefi is not accepting bug reports concerning input sanitization in bugs.immunefi.com. This restriction will be lifted when the current, known issues are resolved.

We are especially interested in receiving and rewarding vulnerabilities of the following types:

Smart Contracts and Blockchain

• Re-entrancy
• Logic errors
  • including user authentication errors
• Solidity/EVM details not considered
  • including integer over-/under-flow
  • including rounding errors
  • including unhandled exceptions
• Trusting trust/dependency vulnerabilities
  • including composability vulnerabilities
• Oracle failure/manipulation
• Novel governance attacks
• Economic/financial attacks
  • including flash loan attacks
• Congestion and scalability
  • including running out of gas
  • including block stuffing
  • including susceptibility to frontrunning
• Consensus failures
• Cryptography problems
  • Signature malleability
  • Susceptibility to replay attacks
  • Weak randomness
  • Weak encryption
• Susceptibility to block timestamp manipulation
• Missing access controls / unprotected internal or debugging interfaces

Websites and Apps

• Remote Code Execution
• Trusting trust/dependency vulnerabilities
• Vertical Privilege Escalation
• XML External Entities Injection
• SQL Injection
• LFI/RFI
• Horizontal Privilege Escalation
• Stored XSS
• Reflective XSS with impact
• CSRF with impact
• Direct object reference
• Internal SSRF
• Session fixation
• Insecure Deserialization
• DOM XSS
• SSL misconfigurations
• SSL/TLS issues (weak crypto, improper setup)
• URL redirect
• Clickjacking (must be accompanied with PoC)
• Misleading Unicode text (e.g. using right to left override characters)

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

• Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks

Websites and Apps

• Theoretical vulnerabilities without any proof or demonstration
• Content spoofing / Text injection issues
• Self-XSS
• Captcha bypass using OCR
• CSRF with no security impact (logout CSRF, change language, etc.)
• Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
• Server-side information disclosure such as IPs, server names, and most stack traces
• Vulnerabilities used to enumerate or confirm the existence of users or tenants
• Vulnerabilities requiring unlikely user actions
• URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
• Lack of SSL/TLS best practices
• DDoS vulnerabilities
• Economic attacks (e.g 51% attack)
• Attacks requiring privileged access from within the organization
• Lack of liquidity

The following activities are prohibited by bug bounty program:

• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. Java, external plugin) as well as websites (e.g. SSO providers, advertising networks)
• Any testing with mainnet contracts
• Any testing with public testnet contracts
• Disassembly or reverse engineering of binaries for which source code is not published
• Testing against ratelimits on endpoints like account creation, password resets, etc.