Responsible Publication Policy
Immunefi’s Responsible Publication Policy provides clarity about the degree to which non-public information regarding bug bounty programs and bug reports may be discussed publicly.
This article is split into several parts:
If you are a whitehat, click here to use our clickable wizard to immediately find if you can disclose your report or not.
Can I Publish?
We want to give greater choice and flexibility to projects to choose Publication Categories that are right for them, but we also want to make things clear for whitehats. The table below will give you a clearer idea of your rights under Responsible Publication.
- Each project on Immunefi has its own disclosure category that must be referenced when looking to disclose information on bug reports or bug bounty programs. You can find this information on the project's bug bounty page.
- Projects that do not have Responsible Publication mentioned in the Program Overview section adhere to the Legacy Publication Policy.
- Some projects on Immunefi have Legacy Publication Policies that prohibit publishing any bug report information without consent from the project. Those conditions are clearly stated in those bug bounty programs.
Can I publish? | RP Category 1 | RP Category 2 | RP Category 3 | Legacy |
---|---|---|---|---|
Fixed and paid report | Publish at will | 21-day Project notice/review | Project approval required | Publish at will |
Duplicate/Known Issue | No | No | No | No |
Closed by project as out of scope/no fix | Publish at will | Publish at will | Project approval required | Publish at will |
Closed by Immunefi | No | No | No | No |
Immunefi Mediation Summary differs from Project and Project does not accept | Publish at will | Publish at will | Publish at will | Publish at will |
Report not resolved within 90 days of escalation, unless mediation is ongoing | Publish at will | Publish at will | Publish at will | Publish at will |
What Can I Publish?
Category 1: Transparent
You can immediately publish screenshots of the:
- Payout Amount
- Severity
- Project Name
Upon confirming the report being paid and fixed or closed as out of scope or no-fix, you can then publish:
- Initial bug report submission
- Immunefi's Mediation Summary in the bug report thread
- A summary of the Project's response(s)
Category 2: Notice Required
You can immediately publish screenshots of the:
- Payout Amount
- Severity
If you want to mention the project name and/or write about the details of the bug report, you have to give the project a 21-day review period first in the Immunefi Dashboard before you publish. Then you can disclose:
- Project Name
- Initial bug report submission
- Immunefi's Mediation Summary in the bug report thread
- A summary of the Project's response(s)
Category 3: Approval Required
You can immediately publish screenshots of the:
- Severity of the report
You cannot publish the payout amount or project name. You must get explicit permission from the project in the Immunefi Dashboard to write a bugfix review or post any other information anywhere about the bug report. Upon getting this consent, you can then disclose:
- Payout amount
- Project name
- Initial bug report submission
- Immunefi's Mediation Summary in the bug report thread
- A summary of the Project's response(s)
Global Standards
The following Global Standards apply across all Publication Categories.
- Bug report intellectual property remains with the whitehat. Right of publication, however, is determined by whichever publication category the project chooses.
- For the sake of clarity, all parties (Whitehat, Project Owner, and Immunefi) shall abide by the applicable publication category for each bug bounty program.
- Nothing in this Responsible Publication Policy modifies in any way Immunefi’s right to collect and make use of anonymized information regarding bug bounty programs and bug reports.
- It is recommended that Whitehats send any publication they make to projects for review in the bug report submissions thread, but it is not always mandatory.
What If I Break The Rules?
Violating the Legacy or Responsible Publication Policies merits a final warning at minimum or a permanent ban and could result in the loss of your bug bounty reward for the report in question and the closure of all other reports.
—----------------------------------
If you have questions about a project’s Responsible Publication, ask Immunefi in your bug report submission or email [email protected]
We're happy to help you to figure out how you can celebrate your bug bounty win.