Found a significant smart contract bug in a DeFi project with over USD 10 million in Total Locked Value (TVL) without a bug bounty program? We’re here to help.
The Immunefi Disclosure Assistance program helps you responsibly disclose significant smart contract bugs in DeFi projects to make crypto a safer place. We’ll work with you to structure your smart contract bug report, leverage our reputation to get it reviewed, and help you stay safe in case your good work is not appreciated the way it should be.
Bug bounty payouts are entirely at the discretion of the project affected, although Immunefi encourages bug bounty payouts for valid bug reports.
The fine print: Immunefi provides Disclosure Assistance on a best effort basis. Immunefi provides Disclosure Assistance as a service to the community. Immunefi receives no compensation for any of its activities under the Disclosure Assistance program. Immunefi cannot guarantee a response from the affected project for bugs submitted through Disclosure Assistance. Immunefi cannot make any guarantees regarding timelines to bug fix and/or bounty pay-out; delays may be significant for bugs reported in projects that do not have established programs and procedures. Immunefi does not make the final decision regarding whether a bug reported through the Disclosure Assistance program will be paid out; that decision is made by the affected project. Although Immunefi advocates that valid bugs be paid out, Immunefi is not able to guarantee a payout for bugs submitted through the Disclosure Assistance program.
We assess the impact of all bug reports through the Disclosure Assistance program based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. However, for the Disclosure Assistance Program, only smart contract bugs are considered.
The scope of our Disclosure Assistance program is only around DeFi smart contract bugs that result in the loss of user funds, either by loss of access or by theft. Due to the resources needed to run this program, we are only able to provide this assistance to projects with a TVL of at least USD 10 million.
Here’s a list of the vulnerability types that we accept to give you a better idea on what we are able to support. However, this is by no means an exhaustive list of all vulnerabilities that are accepted in the program.
Smart Contracts/Blockchain
The following vulnerabilities are not accepted by our Disclosure Assistance program.
We also generally do not work with bug reports that have violated any of our standard rules: