"If you're not using Immunefi, you're not taking security seriously." - Jaynti Kanani, Polygon Co-Founder

Who We Are

Immunefi is the leading bug bounty and security services platform for crypto, which features the world’s largest bounties and the first ever operational bug bounty protocol. Immunefi guards over $25 billion in user funds across projects like Synthetix, Chainlink, SushiSwap, PancakeSwap, Bancor, Cream Finance, Compound, Alchemix, Nexus Mutual, and others.

Immunefi is chain-agnostic, meaning that we host bug bounties for blockchain projects across all chains and networks.

What We Offer

We host bug bounties for blockchain projects by providing a platform to bring projects and hackers together, so that hackers can report bugs responsibly and projects can fix those vulnerabilities securely.

As part of that process, we offer:

The Whitehat Army

• Talent is scarce and hard to bring together, so we’re continuously growing the best crypto and DeFi security experts in the industry to do an ongoing code review of your project. It’s not uncommon that security researchers turn up vulnerabilities within minutes or hours of a bug bounty program going live

A Secure Dashboard

• The Immunefi Bugs Platform is a secure and convenient way to receive bug reports
• Receive bug reports in the same place they are reported
• Manage all existing reports
• Multiple team members can be added
• Free for all Immunefi clients

PR and Comms Support

• We write highly viewed and shared postmortems for critical vulnerabilities, reminding the crypto community how much your project takes security and responsibility seriously
• We advise on how to communicate about a patched vulnerability
• PR assistance depending on press coverage likelihood

How Does It Work?

Onboarding and Launch Process

• After clients fill out an Immunefi bug bounty onboarding form, they receive a questionnaire
• Immunefi begins drafting up a bug bounty program based on answers to those questions
• The draft is sent to clients for review
• After modifications are done, the process is handed over to Immunefi’s launch specialist
• The launch specialist works with the project’s marketing team to figure out the launch time and bounty PR/marketing details

How Fees and Payments Work

How much does hosting a bug bounty on Immunefi cost? The good news is that there’s no upfront cost. Projects only pay a 10% performance fee to Immunefi on top of the bug bounty award when hackers find real vulnerabilities.

• $0 onboarding and launch fee
• $0 maintenance fee
• $0 advisory fee for drafting the program
• 10% Immunefi performance fee (charged on top of the payout) for vulnerabilities found
• No deposits
• You can KYC if needed, but let us know in advance
• Projects set their own payout amounts
• Pay rewards in your own token/coin

Sounds Great, How Do We Sign Up?

If you’re a project looking to show your users and the world that you take responsibility and security seriously, sign up for a bug bounty here, and we’ll begin the onboarding process.

We aim to get back to all projects expressing interest within 5 business days.

FAQ

Q: Can we remove assets in scope of the bug bounty program?

A: It’s generally allowed, but we recommend refraining from doing so as it reduces confidence in your bug bounty program in the eyes of the hackers as they might be working on something, only to find out that it was just removed. If you plan to regularly add or remove assets, we recommend considering having a grace period where you would still reward vulnerabilities in those assets.

Q: We have multiple products, should we include them all in one program?

A: If you have multiple products with different branding and/or want to have a different payout table, we recommend having multiple bug bounty programs instead.

Q: How are bug reports classified?

A: Most bug bounty programs on Immunefi use the Immunefi Vulnerability Severity Classification System. Though our clients are allowed to modify this system, we require that this be clarified before the launch of the bug bounty program so that it’s clear to the bounty hunters at the time of launch.

Q: Do you provide triaging services?

A: At the moment, we do not provide triaging services, though are able to provide assistance whenever you are having issues with bug reports.

Q: What if there is a vulnerability or impact we don’t care about or know?

A: We allow our clients to state what bug reports they don’t want to pay out for and are able to include this in the bug bounty program. It’s important to get this included before launch or as soon as possible if it’s after the launch, so that there are no issues with submitted bug reports that are valid but actually not valued.

Q: What happens if we reject a bug report?

A: If a client rejects a bug report, the embargo for the bug report is over and the bug bounty hunter is free to post about it publicly. This is generally not an issue if indeed the vulnerability is invalid, but can be a PR issue if it is, as well as potentially direct losses of funds due to the public disclosure. Therefore, it’s important for our clients to properly review bug reports and assess the potential impact, if any, for all bug reports before rejecting them.

Q: Do you provide audits?

A: We do not provide software audits but can provide introductions to auditing firms for our clients.

Q: Should we have a bug bounty program while an audit is ongoing?

A: We generally recommend against having a bug bounty program during an audit with a set end date, as you may be receiving duplicate reports from the bug bounty program and your auditing firm. However, if you have a live product, it may be of interest to have a Critical and High bug bounty program as there is generally a premium on time with regards to receiving bug reports of potential exploits that could lead to the loss of funds.

Q: What do we do if we find a bug ourselves?

A: It’s important to let us know whenever a bug is discovered by you, so that we can publish it as a known issue, thus barring others from submitting a bug report. However, we understand that some vulnerabilities may need to be private until the issue is fixed. For this reason, we recommend submitting a bug report to your own project through our secure dashboard so that it gets timestamped and entered into our system.