Welcome to Web3, cybersecurity’s most rewarding frontier

On Immunefi, hackers secure Web3, save funds from theft, and get paid the world's largest bug bounties.

What is Immunefi?

Immunefi is the leading bug bounty platform for Web3 with the world’s largest bug bounties. We offer legendary response times and top-notch support for our hackers.

We’re able to offer the world’s largest bounties because the Web3 assets we protect–blockchains, NFT projects, smart contracts–are the world’s most valuable assets.

A vulnerability in a smart contract holding $800 million represents an incredibly valuable asset, a potential big bounty payout, and a revolution in cybersecurity. That’s why we call it the Web3 Security Revolution.

One of our whitehats, Leon Spacewalker, was paid $2.2 million for a critical bug he found in Polygon.

How Does Immunefi Work?

It’s pretty straightforward.

  1. Explore bounties

We have over $73m in bug bounties available with the best projects in Web3. Explore our bounties and find programs that best match with your skills.

  1. Review code

Read bounty requirements and review code that’s in scope. Out of scope bugs do not get paid.

  1. Submit bugs

When you find a vulnerability, create an account and submit the bug via the Immunefi bugs platform. We have the fastest response time in the industry.

  1. Get paid

After confirming the validity of the bug, we'll work with you and the client to fix it and get you paid for your hard work.

If you’re looking for more information on how to create the best bug report submissions, you can check out our guide: A Hacker’s Guide to Submitting Bugs on Immunefi.

Why Hunt on Immunefi

  • Immunefi has the largest bug bounties on any platform, period. Since we started, we’ve already paid out +$10,000,000 in bounties
  • Web3 vulnerabilities are the most high stakes puzzles in the world. Find a bug and prove that there's no challenge you can't crack.

FAQ

I'm working with another hacker on a bug. When we submit our bug, how do we handle splitting bounties?

Currently, splitting is a manual process. The bounty payment is sent to one address, and the whitehats can decide how to split it from there.

Why did I get a warning?

You probably violated one of our rules, but the violation wasn’t serious enough to merit a full ban. Three warnings will result in a permanent ban from the platform. Remember, each bug bounty program also has its own set of rules, which are available one each bug bounty page.

Why did I get banned?

As an elite bug bounty platform, we offer our hackers a lot of one-on-one support and treat them well. If you’ve been banned, it’s because you’ve violated some of our most important rules, probably repeatedly. Read our rules here to make sure you don’t violate them, and most importantly, don’t test exploits on mainnet or public testnet. Each bounty program page also has its own set of rules unique to that program.

Can I go public with my find if the project doesn’t consider it to be a bug?

Yes.

Can I go public with my find if the project considers the bug a duplicate?

No.

What happens if projects decide not to pay?

Bug bounties are very new in the Web3 space, so projects are still learning how to run successful and ethical bug bounty programs. Rarely, a project will decide not to pay. We will do everything we can to encourage projects to act ethically and responsibly, but if a project is generally non-responsive, we will remove them from our platform.

How fast does Immunefi respond to bug reports?

The fastest in the industry.

The project is being slow responding to my bug report. How do I get support?

When projects join Immunefi, they sign a Service Level Agreement which governs receipt, decision, and payout times. Please ping Immunefi in the bugs platform dashboard on your bug report if a project is taking longer than is allowed by the below table.

ActionSeverity LevelResponse Time
Receipt of reportCritical48 hours
All severity levels except critical3-4 days, depending on holidays/weekends
Decision on reportHigh + CriticalUp to 14 days
Low + MediumUp to 7 days
Payout for valid reportsHigh + CriticalWithin 14 days
Low + MediumWithin 7 days

How do I learn more about smart contract/blockchain hacking?

This is a big topic, but here are some simple steps to get started:

-Follow our Twitter account for educational resources, as well as the hashtag #immunefischool
-Join our Discord and learn from the top Web3 hackers
-Read through bugfix postmortems on our Medium to see a technical analysis of bugs that were reported and fixed via Immunefi
-Check out our blog post Hacking the Blockchain: An Ultimate Guide
-Check out resources for learning smart contract hacking our site

Why doesn’t Immunefi have more web assets in scope?

Immunefi is first and foremost a bug bounty platform for Web3, which includes blockchains themselves, NFT projects, and smart contracts in DeFi. The projects whose bounty programs we host often want their websites secured as well, but their main focus–and ours–is to protect their Web3 assets. That’s what sets us apart, and that’s what allows us to host the world’s largest bug bounties.

How do payouts work, and are they done only in crypto?

Projects only make payouts in crypto. Each project’s bug bounty program page on Immunefi specifies exactly what the payout terms are. Sometimes, the payouts are done in stablecoins like USDC (1 USDC is equivalent to one U.S. dollar). Other times, payouts are made in that project’s native token. Occasionally, it’s a mix of both, or BTC/ETH.

Can I contact the project directly about a bug that I find?

No. In fact, doing so is against the rules and could result in a warning or a ban. Contacting a project directly is a rules violation because projects host their bug bounties on Immunefi specifically so that all communication is handled through our secure platform.

Additionally, contacting a project before submitting to Immunefi is also considered a violation and will result in no payout.

I think I’ve found a vulnerability, but I’m not sure. Can I share it with someone?

Do not share it on a public channel. You can share it privately to another whitehat you trust, but you will held responsible if the vulnerability is leaked and exploited.

If you consult with another whitehat, it’s your responsibility to figure out how to split any bounty. Immunefi and the project will not mediate in any dispute.

Is KYC required?

KYC isn’t required by default, and the vast majority of projects don’t require KYC. However, a few projects do.

When a program lists a website in scope, are other directories in scope? And subdomains?

All the directories will be included (site.com/something) but not the subdomains (something.site.com) by default, unless the program specifies otherwise.

How do I create a wallet to receive payments for my bug finds?

We require that hackers use a wallet that is an externally owned account (EOA) to receive payment. We don't require that hackers use any particular wallet software, so long as the hacker is able to submit transactions and make signatures from that address.

Important: smart contract wallets are not supported. Centralized exchange (CEX) wallets are not supported. If you submit a smart contract or CEX wallet on the submission form, you're at your own risk. If your bounty payment goes into a black hole, we cannot retrieve it for you.

For non-EVM projects, it’s ok to enter all zeroes as the wallet address and then put the actual wallet address in the bug report.