Immunefi
12 November 2020
Live since
Yes
KYC required
$1,250
Maximum bounty
Program Overview
Immunefi is a bug bounty platform hosted by a consortium of companies active in the cybersecurity space. It aims to make cybersecurity more accessible to the cryptocurrency industry as well as the wider cyberspace.
Immunefi is interested in securing their website, https://immunefi.com/. Primary areas of concern are around the modification of information on the website, leakage and loss of client data, and leakage of communicated information from clients to the company.
https://bugs.immunefi.com is currently out-of-scope while Immunefi launches it.
Total Bounty Pool: USD 2 500
Rewards by Threat Level
Rewards are distributed according to the exploitability level of the vulnerability and its impact based on the Immunefi Vulnerability Severity Classification System. The payout for a bug report is first calculated by the consequence the vulnerability causes with its respective percentage reward multiplied by the total bounty pool. Afterwards, the exploitability level and its respective percentage is multiplied by that amount to determine the final payout for the bug report.
| Consequence | |
|---|---|
| Deletion of site data, XSS/CSRF, ACE, loss of contract funds | 50% |
| Incorrect modification of user data | 20% |
| Leaking user data | 20% |
| DoS amplification | 10% |
| Denial of service | 10% |
| No known exploit - best practices | 10% |
| Exploitability | |
|---|---|
| No access | 100% |
| Ordinary access | 100% |
| Moderator-approved access | 20% |
| Privileged access (non-root) | 10% |
| Physical access | 1% |
Payouts are handled by Immunefi directly and are denominated in USD.
Prioritized Vulnerabilities
We are especially interested in receiving and rewarding vulnerabilities of the following types:
- Remote Code Execution
- Vertical Privilege Escalation
- XML External Entities Injection
- SQL Injection
- LFI/RFI
- Horizontal Privilege Escalation
- Stored XSS
- Reflective XSS with impact
- CSRF
- CSRF with impact
- Direct object reference
- Internal SSRF
- Session fixation
- Insecure Deserialization
- Direct object reference
- Path Traversal
- DOM XSS
- SSL misconfigurations
- SPF configuration problems
- SSL/TLS issues (weak crypto, improper setup)
- URL redirect
- Clickjacking
- Economic structuring issues (e.g flash loans)
Out of Scope & Rules
https://bugs.immunefi.com is currently out-of-scope while Immunefi launches it.
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Theoretical vulnerabilities without any proof or demonstration
- Content spoofing / Text injection issues
- Self-XSS
- Captcha bypass using OCR
- CSRF with no security impact (logout CSRF, change language, etc.)
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Server-side information disclosure such as IPs, server names, and most stack traces
- Vulnerabilities used to enumerate or confirm the existence of users or tenants
- Vulnerabilities requiring unlikely user actions
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
- Lack of SSL/TLS best practices
- DDoS vulnerabilities
- Economic attacks (e.g 51% attack)
- Attacks requiring privileged access from within the organization
- Lack of liquidity
The following activities are prohibited by bug bounty program:
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. Java, external plugin) as well as websites (e.g. SSO providers, advertising networks)
- Any testing with mainnet contracts
- Any testing with public testnet contracts
- Disassembly or reverse engineering of binaries for which source code is not published
Want to help us protect crypto from hacks?
Join our whitehat community and get notified when new bounties launch on the platform