Your First Day As A Bug Bounty Hunter On Immunefi

Who We Are

Welcome to Immunefi, the leading bug bounty platform for web3. We offer legendary response times, top-notch support for our hackers, and the world’s largest bug bounty payouts.

We’ve paid out more than $65m to whitehats through our platform since we were founded in December 2020, and we have more than $100m in bounty rewards available for you to claim.

It’s your first day using our platform, so read this guide to get up to speed. By the end, you’ll know exactly what you need to do to hunt bugs on Immunefi.

Blockchain and the Web3 Security Revolution

Blockchain as a technology has swept the world. You hear about NFTs, currencies, decentralized finance (DeFi), smart contracts, wallets, protocols, centralized and decentralized exchanges, and on and on.

It’s a new universe. That new universe is built on top of code, and that code is written in languages like Solidity, Rust, and Vyper, among others.

As we know, code always has bugs and vulnerabilities.

But unlike regular web2 apps, vulnerabilities in web3 can have direct and catastrophic monetary losses. While in web2, a bug might result in lost data, in web3, a bug could result in hundreds of millions of dollars stolen in an instant, because those funds are sitting in decentralized smart contracts (programs running on the blockchain). If the code has a bug, malicious hackers can pull funds out of those smart contracts.

This is the fundamental reason why web3 has the largest bug bounties and payouts in the world. If a single bug could lead to a direct loss of $10 million, then it makes sense to price the bug bounty at $1 million–10% of funds at risk.

That formula is called the scaling bug bounty standard, and it’s led to massive payouts:

• $10 million for a vulnerability in Wormhole
• $6 million for a vulnerability in Aurora
• $2.2 million for a vulnerability in Polygon
• $2 million for a vulnerability in Optimism

Platform Basics

The first and more important thing to know about our platform is the rules. Make sure to read them closely. Our platform is different from most other bug bounty platforms in many ways. One of those ways is that we enforce the rules very vigorously and have a low tolerance for poor-quality bug reports.

Here are some examples of prohibited behavior that can get you banned on Immunefi:

• Spray-and-pray bug reports: submitting low-quality bug reports to as many projects as possible to get a payout. Why? The Immunefi platform offers the world’s highest payouts. But in return, it expects whitehat hackers to submit very high-quality, complete reports to earn those massive payouts. Read this article here to learn what a high-quality bug report looks like. It includes a template you can follow.
• Submitting ChatGPT/AI/auto-generated bug reports. Why? ChatGPT is not trained on the right data. It is incapable of smart contract technical analysis and building proper Proofs of Concept. This means that we treat ChatGPT and other automated reports as spam, and spam on Immunefi results in an instant ban.
• Testing on mainnet or testnet: running test exploit code against projects on mainnet or testnet. Why? The blockchain is a public and live environment. Tests on mainnet can impact projects’ live smart contracts. Additionally, any tests on mainnet or testnet can be seen by everyone, meaning they can be copied to exploit and damage the project. It is essential to write a PoC for your bug report that forks a local copy of the blockchain and demonstrates the exploit in a safe, private manner. To learn more, read our article about PoC guidelines and rules.
• Misrepresenting your report: listing the severity of all bug reports as critical, regardless of how trivial the issue is. Why? On Immunefi, this behavior will get you warned or banned, because being accurate, realistic, and truthful are core principles at Immunefi. If whitehats want the world’s highest payouts, they must adhere to the highest standards.
• Creating multiple accounts. Why? Immunefi rate-limits submissions to encourage high-quality bug reports and to reduce spam. Creating multiple accounts to evade these limits is an obvious rules violation and will result in a ban of all accounts associated with that whitehat.

Now that you’ve read the rules, it’s time to review how the rest of the platform works.

After you’ve signed up, you’ll receive an email to verify your account. Once you’ve verified your account, you can log into the Bugs Platform and navigate to the settings page.

On the settings page, you can change your password, enable 2FA, and select your username. Your username is what projects will see on bug reports, and also what will appear on the Immunefi Whitehat Leaderboard. We recommend enabling 2FA and changing your password every so often.

Two weeks after your first paid bug report, you’ll be able to see your current ranking on the settings page.

Exploring the Bounties

After you’ve modified your settings, you can head over to the Explore page, if you haven’t seen it already.

This page is where the world’s largest bug bounties live:

We have a huge set of bug bounty program filters, which you can access by clicking on the ‘Show All Filters’ dropdown menu, so you can see all programs by type of protocol or which chain that protocol operates on, among many other options. It’s great for focusing on a specific area. Additionally, you can also click the ‘Sort by’ menu to sort by newest programs, oldest programs, and highest paying programs. The default view is highest paying programs.

Once you see a program you like, click the ‘View bounty’ button on the right hand side of the page.

A project’s bug bounty page is extremely important to read before you submit any bug reports. It tells what you assets and impacts are in-scope for the program. It tells you if a PoC is required. And finally, it tells you what constitutes prohibited behavior for bug reports.

You’ll also notice under the ‘Rewards by Threat Level’ section, there’s a link to the Immunefi Vulnerability Classification System. Read it and familiarize yourself with it, as it’s very distinct from the severity classification systems on other bug bounty platforms. This is because Immunefi is primarily a web3 bug bounty platform.

In short, the bug bounty program page is effectively the terms and conditions for submitting a bug report to that project on Immunefi. Make sure to read and understand it before you submit a bug report.

Submitting a Bug Report

Let’s say you’ve discovered a bug in a project’s smart contract code, and that project has a $1 million dollar bug bounty on Immunefi.

You’re incredibly excited. You’re imagining what your future could look like with an extra million dollars: a long, much-needed vacation. A house. A car. Everyone in the community will give you massive props. All of the above.

But what needs to happen next, in order for you to get to that future?

First, you need to write a high-quality report and include a PoC, so that the project knows the vulnerability is actually real. The easier you make it for the project to understand and replicate the vulnerability on their side, the more likely it is that you’ll get a big and fast payout.

When you’re ready to submit the bug report, log in to your account and click ‘Submit report’ in the top right corner.

1. Select the program you want to submit to, and then type the name of the program below as well.
2. Next, choose the right target. Make sure it is an asset in scope.
3. Then, choose the right impact. Make sure the impact is in scope on that bug bounty program’s page.
4. After that, you’ll choose the severity. Review the vulnerability classification system here. As mentioned in the rules, it is crucial to be accurate and truthful.
5. Now you’re in the report section. Make sure to follow the guide here on how to structure the bug report.
6. Once you’ve finished entering the bug report, you’ll be prompted to enter your wallet address. It must be your own personal wallet address. It cannot be on an exchange.

To read more about the bug report submission process, check out our Help Desk article here.

The Lifecycle of a Report

Now that you’ve submitted your bug report, what happens next?

There are five bug report statuses that your bug report can go through.

‘Reported’ status

This status indicates that your report has been successfully submitted. However, it does not mean that your report has been deemed valid.

‘Escalated’ status

Once your report has passed through Immunefi’s review, it will be sent to the project and changed to the ‘Escalated’ status. This means that the project still needs to review the report to determine whether or not it is valid.

From here, the project will follow up with a decision, or they will request more information. In the meantime, if you discover any additional information to support your submission, you can add a comment to the thread. Please note that projects have an SLA for acknowledgement and resolution.

‘Confirmed’ status

This means that the project believes your report is valid, and they will pay you a reward.

However, before you confirm your wallet address with them, you should ensure that you and the project are aligned on severity level and reward amount. If there is disagreement here, you may need to request help to begin the mediation process.

‘Paid’ status

This indicates that the project has sent payment to your confirmed wallet address. The report is now resolved.

‘Closed’ status

If the project believes that your report is invalid or out of scope, they will close the report.

If you disagree with this decision, you can continue the conversation by replying to ‘All participants’ in the comment section. You can also click the “Request Help” button in the bug report to request mediation assistance from Immunefi.

These are the five statuses.

One of the most common questions we get from whitehats is: how often should I expect to hear an update on my bug report?

As mentioned, projects on Immunefi have a Service Level Agreement (SLA) that determines when they must respond to bug reports, according to the following table:

In some cases, it takes longer than normal to get your bug report resolved. Let us know if a project is not meeting their SLA, and the Account Management team at Immunefi will step in to help move the process along.

Visit our Help Center if you would like more information on how and when to request help with your submitted bug report.

Resources and Tips

Want to learn more about smart contract hacking and talk to some of the best whitehats in the world?

Here are some resources you need to follow to learn everything you need to know.

• Join our Discord.
• Follow our Twitter account.
• Check out the Web3 Security Library hosted by Immunefi.
• Read our Medium to see bugfix reviews and hack analyses
• Read Hacking the Blockchain: Ethereum

That’s all for now.

Happy Hunting!