Published in


Your First Day As A Bug Bounty Hunter On Immunefi

Who We Are

Blockchain and the Web3 Security Revolution

Platform Basics

  • Spray-and-pray bug reports: submitting low-quality bug reports to as many projects as possible to get a payout. Why? The Immunefi platform offers the world’s highest payouts. But in return, it expects whitehat hackers to submit very high-quality, complete reports to earn those massive payouts. Read this article here to learn what a high-quality bug report looks like. It includes a template you can follow.
  • Submitting ChatGPT/AI/auto-generated bug reports. Why? ChatGPT is not trained on the right data. It is incapable of smart contract technical analysis and building proper Proofs of Concept. This means that we treat ChatGPT and other automated reports as spam, and spam on Immunefi results in an instant ban.
  • Testing on mainnet or testnet: running test exploit code against projects on mainnet or testnet. Why? The blockchain is a public and live environment. Tests on mainnet can impact projects’ live smart contracts. Additionally, any tests on mainnet or testnet can be seen by everyone, meaning they can be copied to exploit and damage the project. It is essential to write a PoC for your bug report that forks a local copy of the blockchain and demonstrates the exploit in a safe, private manner. To learn more, read our article about PoC guidelines and rules.
  • Misrepresenting your report: listing the severity of all bug reports as critical, regardless of how trivial the issue is. Why? On Immunefi, this behavior will get you warned or banned, because being accurate, realistic, and truthful are core principles at Immunefi. If whitehats want the world’s highest payouts, they must adhere to the highest standards.
  • Creating multiple accounts. Why? Immunefi rate-limits submissions to encourage high-quality bug reports and to reduce spam. Creating multiple accounts to evade these limits is an obvious rules violation and will result in a ban of all accounts associated with that whitehat.

Exploring the Bounties

Submitting a Bug Report

  1. Select the program you want to submit to, and then type the name of the program below as well.
  2. Next, choose the right target. Make sure it is an asset in scope.
  3. Then, choose the right impact. Make sure the impact is in scope on that bug bounty program’s page.
  4. After that, you’ll choose the severity. Review the vulnerability classification system here. As mentioned in the rules, it is crucial to be accurate and truthful.
  5. Now you’re in the report section. Make sure to follow the guide here on how to structure the bug report.
  6. Once you’ve finished entering the bug report, you’ll be prompted to enter your wallet address. It must be your own personal wallet address. It cannot be on an exchange.

The Lifecycle of a Report

Resources and Tips



Immunefi is the premier bug bounty platform for smart contracts and DeFi projects, where security researchers review code, disclose vulnerabilities, get paid, and make crypto safer. Immunefi removes security risk through bug bounties and comprehensive security services.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.